[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#781455: marked as done (RFS: util-linux/2.25.2-5.1 (fixing `unshare -r` regression) [NMU])

Your message dated Mon, 30 Mar 2015 00:48:51 +0200
with message-id <20150329224851.GA12797@fatal.se>
and subject line Re: Bug#781455: RFS: util-linux/2.25.2-5.1  (fixing `unshare -r` regression) [NMU]
has caused the Debian Bug report #781455,
regarding RFS: util-linux/2.25.2-5.1  (fixing `unshare -r` regression) [NMU]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
781455: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781455
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: sponsorship-requests
Severity: important
Tags: upstream patch

Hello up there,

Recently I've discovered that `unshare -r`, though it used to work in
2014, stopped working for Jessie:

    https://bugs.debian.org/780841

The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10

and pre-approved by RT member Niels Thykier on debian-release@l.d.o:

    https://lists.debian.org/debian-release/2015/03/msg00661.html

and then a proper unblock request filed:

    https://bugs.debian.org/781163


Since I have no upload rights, in unblock request I've only presented a diff
for source package, and this way Niels suggested I should upload package with
the fix to mentors.debian.net and seek for a sponsor:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781163#22

which I do here.

Please, someone could you please sponsor this upload with important (imho) fix
to make `unshare -r` work again for Jessie? The fix was pre-approved by Andreas,
but somehow it turned out it is me who should care about actual upload being done.

Thanks beforehand,
Kirill

P.S. proposed debdiff to util-linux/2.25.2-5 (current sid/jessie version)
follows:

---- 8< ----
diff --git a/debian/changelog b/debian/changelog
index 7850238..0d80c1b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+util-linux (2.25.2-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841)
+
+ -- Kirill Smelkov <kirr@nexedi.com>  Wed, 25 Mar 2015 16:23:34 +0300
+
 util-linux (2.25.2-5) unstable; urgency=medium
 
   * Revert "Trigger update of initramfs on upgrades" (Closes: #773354)
diff --git a/debian/patches/series b/debian/patches/series
index 6428b26..577ad52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ Update-Japanese-translation.patch
 Update-Russian-translation.patch
 Trivial-unfuzzy.patch
 libblkid-care-about-unsafe-chars-in-cache.patch
+unshare-Fix-map-root-user-to-work-on-new-kernels.patch
diff --git a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
new file mode 100644
index 0000000..9a469c1
--- /dev/null
+++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
@@ -0,0 +1,71 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 17 Dec 2014 17:06:03 -0600
+Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels
+Origin: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119
+
+In rare cases droping groups with setgroups(0, NULL) is an operation
+that can grant a user additional privileges.  User namespaces were
+allwoing that operation to unprivileged users and that had to be
+fixed.
+
+Update unshare --map-root-user to disable the setgroups operation
+before setting the gid_map.
+
+This is needed as after the security fix gid_map is restricted to
+privileged users unless setgroups has been disabled.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ include/pathnames.h |  1 +
+ sys-utils/unshare.c | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/include/pathnames.h b/include/pathnames.h
+index 0d21b98..cbc93b7 100644
+--- a/include/pathnames.h
++++ b/include/pathnames.h
+@@ -93,6 +93,7 @@
+ 
+ #define _PATH_PROC_UIDMAP	"/proc/self/uid_map"
+ #define _PATH_PROC_GIDMAP	"/proc/self/gid_map"
++#define _PATH_PROC_SETGROUPS	"/proc/self/setgroups"
+ 
+ #define _PATH_PROC_ATTR_CURRENT	"/proc/self/attr/current"
+ #define _PATH_PROC_ATTR_EXEC	"/proc/self/attr/exec"
+diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
+index fccdba2..9fdce93 100644
+--- a/sys-utils/unshare.c
++++ b/sys-utils/unshare.c
+@@ -39,6 +39,24 @@
+ #include "pathnames.h"
+ #include "all-io.h"
+ 
++static void disable_setgroups(void)
++{
++	const char *file = _PATH_PROC_SETGROUPS;
++	const char *deny = "deny";
++	int fd;
++
++	fd = open(file, O_WRONLY);
++	if (fd < 0) {
++		if (errno == ENOENT)
++			return;
++		 err(EXIT_FAILURE, _("cannot open %s"), file);
++	}
++
++	if (write_all(fd, deny, strlen(deny)))
++		err(EXIT_FAILURE, _("write failed %s"), file);
++	close(fd);
++}
++
+ static void map_id(const char *file, uint32_t from, uint32_t to)
+ {
+ 	char *buf;
+@@ -181,6 +199,7 @@ int main(int argc, char *argv[])
+ 	}
+ 
+ 	if (maproot) {
++		disable_setgroups();
+ 		map_id(_PATH_PROC_UIDMAP, 0, real_euid);
+ 		map_id(_PATH_PROC_GIDMAP, 0, real_egid);
+ 	}

--- End Message ---
--- Begin Message --- 
Hello Kirill Smelkov!

On Sun, Mar 29, 2015 at 05:49:11PM +0300, Kirill Smelkov wrote:
> Package: sponsorship-requests
> Severity: important
> Tags: upstream patch
> 
> Hello up there,
> 
> Recently I've discovered that `unshare -r`, though it used to work in
> 2014, stopped working for Jessie:
> 
>     https://bugs.debian.org/780841
> 
> The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)
> 
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10
> 
> and pre-approved by RT member Niels Thykier on debian-release@l.d.o:
> 
>     https://lists.debian.org/debian-release/2015/03/msg00661.html
> 
> and then a proper unblock request filed:
> 
>     https://bugs.debian.org/781163
> 
> 
> Since I have no upload rights, in unblock request I've only presented a diff
> for source package, and this way Niels suggested I should upload package with
> the fix to mentors.debian.net and seek for a sponsor:
> 
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781163#22
> 
> which I do here.

Thanks for your nice bug summary, solution and also for doing
the administrative trivia to pave the way.

> 
> Please, someone could you please sponsor this upload with important (imho) fix
> to make `unshare -r` work again for Jessie? 

I've uploaded an eqvivalent package to your proposed NMU.
(Only equivalent because I care about the VCS history. Please
do check out the Vcs-Git field and the git repository for pkg-util-linux
if you're interested in doing further work. Your help with bug-triaging
util-linux bugs would be very welcome!)

> The fix was pre-approved by Andreas, but somehow it turned out it is me who
> should care about actual upload being done.

As always, the one who wants to get something done needs to take the lead.
Please remember we're all volunteers here (atleast I definitely am).

Regards,
Andreas Henriksson

--- End Message ---
Reply to: