* “guix system container” script must run as root
@ 2022-08-09 15:13 Ricardo Wurmus
2022-08-09 16:23 ` Ricardo Wurmus
0 siblings, 1 reply; 2+ messages in thread
From: Ricardo Wurmus @ 2022-08-09 15:13 UTC (permalink / raw)
To: guix-devel
Hi Guix,
I see that the container script generated by “guix system container”
must be run as root. Looking at “initialize-user-namespace” in (gnu
build linux-container) there is conditional code to be executed only
when running as an unprivileged user, namely writing to
/proc/pid/setgroups. This makes me think that this was originally meant
to be usable without root privileges.
Without root privileges write access to /proc/pid/* is denied. The
child process here is the result of issuing a clone syscall.
Why can’t the parent process write to the child’s /proc/pid/* files?
Why does the parent process need to do this at all? Can’t the child
process take care of writing its /proc/self/uid_map?
--
Ricardo
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: “guix system container” script must run as root
2022-08-09 15:13 “guix system container” script must run as root Ricardo Wurmus
@ 2022-08-09 16:23 ` Ricardo Wurmus
0 siblings, 0 replies; 2+ messages in thread
From: Ricardo Wurmus @ 2022-08-09 16:23 UTC (permalink / raw)
To: guix-devel
Ricardo Wurmus <rekado@elephly.net> writes:
> Hi Guix,
>
> I see that the container script generated by “guix system container”
> must be run as root. Looking at “initialize-user-namespace” in (gnu
> build linux-container) there is conditional code to be executed only
> when running as an unprivileged user, namely writing to
> /proc/pid/setgroups. This makes me think that this was originally meant
> to be usable without root privileges.
>
> Without root privileges write access to /proc/pid/* is denied. The
> child process here is the result of issuing a clone syscall.
>
> Why can’t the parent process write to the child’s /proc/pid/* files?
“man 7 user_namespaces” explains what conditions must be met for a
parent process to write to /proc/childpid/uid_map. There are many
conditions that could lead to EPERM. It seems that writing to
/proc/pid/setgroups succeeds and only writing to uid_map and gid_map
fails.
The parent process should be able to write to these files at least
once; as the parent it should have the capabilities CAP_SETUID and
CAP_SETGID in the child process namespace.
--
Ricardo
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-09 17:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-09 15:13 “guix system container” script must run as root Ricardo Wurmus
2022-08-09 16:23 ` Ricardo Wurmus
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.