Hi, On Sat, Mar 25, 2023 at 07:32:26PM +0100, Christian Kastner wrote: > When the testbed has the 'root-on-testbed' capability, autopkgtest > insists on running tests through `su root` [1]. This seems redundant, > but is explained in the comment: > > > this ensures that we have a PAM/logind session for root tests as > > well; with some interfaces like ttyS1 or lxc_attach we don't log > > in to the testbed > > The problem with this is that it breaks rootless podman containers where > files/devices are passed in with group ownership. The host user's groups > can be kept with podman's --group-add=keep-groups feature, but this > feature is lost by su's setgroups() call. > > Workarounds are to either run the containers as root, or modify > /etc/setgid as needed. However, those workarounds require privileges to > set up. > > It would seem simpler to just add a new restriction, call it "nosession" > or whatever, so that tests can explicitly declare that they don't need a > session, be it for the above reason, or any other. > > If you think this idea has merit, should I prepare a proposed update to > code + docs in an MR? > > Steps to reproduce: > > # On the host, pick an arbitrary secondary group of the user. In this example, I'll use group video. > # Create a file with root:video ownership, and no read permissions for other: > > $ echo "eureka" > /tmp/canary && chmod 640 /tmp/canary && sudo chown root:video /tmp/canary > $ ls -l /tmp/canary > -rw-r----- 1 root video 6 Mar 19 10:28 /tmp/canary > > # Run the container, bind-mounting the file > $ podman run --rm -it --volume=/tmp/canary:/tmp/canary --group-add keep-groups debian:unstable > > root@2925ce478c61:/# cat /tmp/canary > eureka > root@2925ce478c61:/# su > root@2925ce478c61:/# cat /tmp/canary > cat: /tmp/canary: Permission denied Can you ellaborate on how did you hit this issue while using autopkgtest? What exactly is broken? In any case, this sounds to me like a technical limitation of podman and/or the autopkgtest podman backend, and not like something we want to include in the specification.
Attachment:
signature.asc
Description: PGP signature