Re: Proposal for new restriction: "nosession"

To: Christian Kastner <ckk@debian.org>
Cc: debian-ci@lists.debian.org
Subject: Re: Proposal for new restriction: "nosession"
From: Antonio Terceiro <terceiro@debian.org>
Date: Fri, 14 Apr 2023 14:25:35 -0300
Message-id: <[🔎] ZDmMj8RBWxL8cuX0@debian.org>
Mail-followup-to: Antonio Terceiro <terceiro@debian.org>, Christian Kastner <ckk@debian.org>, debian-ci@lists.debian.org
In-reply-to: <8a60aaea-6e1f-b902-51d6-07ec4fc852a9@debian.org>
References: <8a60aaea-6e1f-b902-51d6-07ec4fc852a9@debian.org>

Hi,

On Sat, Mar 25, 2023 at 07:32:26PM +0100, Christian Kastner wrote:
> When the testbed has the 'root-on-testbed' capability, autopkgtest
> insists on running tests through `su root` [1]. This seems redundant,
> but is explained in the comment:
> 
> > this ensures that we have a PAM/logind session for root tests as
> > well; with some interfaces like ttyS1 or lxc_attach we don't log
> > in to the testbed
> 
> The problem with this is that it breaks rootless podman containers where
> files/devices are passed in with group ownership. The host user's groups
> can be kept with podman's --group-add=keep-groups feature, but this
> feature is lost by su's setgroups() call.
> 
> Workarounds are to either run the containers as root, or modify
> /etc/setgid as needed. However, those workarounds require privileges to
> set up.
> 
> It would seem simpler to just add a new restriction, call it "nosession"
> or whatever, so that tests can explicitly declare that they don't need a
> session, be it for the above reason, or any other.
> 
> If you think this idea has merit, should I prepare a proposed update to
> code + docs in an MR?
> 
> Steps to reproduce:
> 
> # On the host, pick an arbitrary secondary group of the user. In this example, I'll use group video.
> # Create a file with root:video ownership, and no read permissions for other:
> 
> $ echo "eureka" > /tmp/canary && chmod 640 /tmp/canary && sudo chown root:video /tmp/canary
> $ ls -l /tmp/canary 
> -rw-r----- 1 root video 6 Mar 19 10:28 /tmp/canary
> 
> # Run the container, bind-mounting the file
> $ podman run --rm -it --volume=/tmp/canary:/tmp/canary --group-add keep-groups debian:unstable
> 
> root@2925ce478c61:/# cat /tmp/canary
> eureka
> root@2925ce478c61:/# su
> root@2925ce478c61:/# cat /tmp/canary
> cat: /tmp/canary: Permission denied

Can you ellaborate on how did you hit this issue while using
autopkgtest? What exactly is broken?

In any case, this sounds to me like a technical limitation of podman
and/or the autopkgtest podman backend, and not like something we want to
include in the specification.

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Proposal for new restriction: "nosession"
  - From: Christian Kastner <ckk@debian.org>

Prev by Date: Re: Proposal for new restriction: "nosession"
Next by Date: Re: Proposal for new restriction: "nosession"
Previous by thread: Re: Proposal for new restriction: "nosession"
Next by thread: Re: Proposal for new restriction: "nosession"
Index(es):
- Date
- Thread