Proposal for new restriction: "nosession"
When the testbed has the 'root-on-testbed' capability, autopkgtest
insists on running tests through `su root` [1]. This seems redundant,
but is explained in the comment:
> this ensures that we have a PAM/logind session for root tests as
> well; with some interfaces like ttyS1 or lxc_attach we don't log
> in to the testbed
The problem with this is that it breaks rootless podman containers where
files/devices are passed in with group ownership. The host user's groups
can be kept with podman's --group-add=keep-groups feature, but this
feature is lost by su's setgroups() call.
Workarounds are to either run the containers as root, or modify
/etc/setgid as needed. However, those workarounds require privileges to
set up.
It would seem simpler to just add a new restriction, call it "nosession"
or whatever, so that tests can explicitly declare that they don't need a
session, be it for the above reason, or any other.
If you think this idea has merit, should I prepare a proposed update to
code + docs in an MR?
Steps to reproduce:
# On the host, pick an arbitrary secondary group of the user. In this example, I'll use group video.
# Create a file with root:video ownership, and no read permissions for other:
$ echo "eureka" > /tmp/canary && chmod 640 /tmp/canary && sudo chown root:video /tmp/canary
$ ls -l /tmp/canary
-rw-r----- 1 root video 6 Mar 19 10:28 /tmp/canary
# Run the container, bind-mounting the file
$ podman run --rm -it --volume=/tmp/canary:/tmp/canary --group-add keep-groups debian:unstable
root@2925ce478c61:/# cat /tmp/canary
eureka
root@2925ce478c61:/# su
root@2925ce478c61:/# cat /tmp/canary
cat: /tmp/canary: Permission denied
Best,
Christian
[1] https://salsa.debian.org/ci-team/autopkgtest/-/blob/master/lib/adt_testbed.py#L1124-1130
Reply to: