Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1

To: Kirill Smelkov <kirr@nexedi.com>, 781163@bugs.debian.org
Cc: Cyril Brulebois <kibi@debian.org>, Andreas Henriksson <andreas@fatal.se>
Subject: Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
From: Niels Thykier <niels@thykier.net>
Date: Mon, 30 Mar 2015 08:32:49 +0200
Message-id: <[🔎] 5518EE11.7020600@thykier.net>
Reply-to: Niels Thykier <niels@thykier.net>, 781163@bugs.debian.org
In-reply-to: <[🔎] 20150325135842.GA8695@teco.navytux.spb.ru>
References: <[🔎] 20150325135842.GA8695@teco.navytux.spb.ru>

Control: tags -1 d-i

On 2015-03-25 14:58, Kirill Smelkov wrote:
> Package: release.debian.org
> Severity: important
> User: release.debian.org@packages.debian.org
> Usertags: unblock, confirmed, moreinfo
> 
> Hello up there,
> 
> Recently I've discovered that `unshare -r`, though it used to work in
> 2014, stopped working for Jessie:
> 
>     https://bugs.debian.org/780841
> 
> The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)
> 
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10
> 
> and pre-approved by RT member Niels Thykier on debian-release@l.d.o:
> 
>     https://lists.debian.org/debian-release/2015/03/msg00661.html
> 
> 
> Niels asked to file an unblock request with full intended debdiff, which
> I do here. It is an NMU, because there is no reply from Andreas for
> several days. Hope it is ok.
> 
> 
> Thanks beforehand,
> Kirill
> 

Hi,

I have unblocked this now and am CC'ing KiBi for a d-i ack.  I am also
quoting in full for his convenience.

Thanks,
~Niels

> 
> diff --git a/debian/changelog b/debian/changelog
> index 7850238..0d80c1b 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +util-linux (2.25.2-5.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841)
> +
> + -- Kirill Smelkov <kirr@nexedi.com>  Wed, 25 Mar 2015 16:23:34 +0300
> +
>  util-linux (2.25.2-5) unstable; urgency=medium
>  
>    * Revert "Trigger update of initramfs on upgrades" (Closes: #773354)
> diff --git a/debian/patches/series b/debian/patches/series
> index 6428b26..577ad52 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -17,3 +17,4 @@ Update-Japanese-translation.patch
>  Update-Russian-translation.patch
>  Trivial-unfuzzy.patch
>  libblkid-care-about-unsafe-chars-in-cache.patch
> +unshare-Fix-map-root-user-to-work-on-new-kernels.patch
> diff --git a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
> new file mode 100644
> index 0000000..9a469c1
> --- /dev/null
> +++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
> @@ -0,0 +1,71 @@
> +From: "Eric W. Biederman" <ebiederm@xmission.com>
> +Date: Wed, 17 Dec 2014 17:06:03 -0600
> +Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels
> +Origin: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119
> +
> +In rare cases droping groups with setgroups(0, NULL) is an operation
> +that can grant a user additional privileges.  User namespaces were
> +allwoing that operation to unprivileged users and that had to be
> +fixed.
> +
> +Update unshare --map-root-user to disable the setgroups operation
> +before setting the gid_map.
> +
> +This is needed as after the security fix gid_map is restricted to
> +privileged users unless setgroups has been disabled.
> +
> +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> +---
> + include/pathnames.h |  1 +
> + sys-utils/unshare.c | 19 +++++++++++++++++++
> + 2 files changed, 20 insertions(+)
> +
> +diff --git a/include/pathnames.h b/include/pathnames.h
> +index 0d21b98..cbc93b7 100644
> +--- a/include/pathnames.h
> ++++ b/include/pathnames.h
> +@@ -93,6 +93,7 @@
> + 
> + #define _PATH_PROC_UIDMAP	"/proc/self/uid_map"
> + #define _PATH_PROC_GIDMAP	"/proc/self/gid_map"
> ++#define _PATH_PROC_SETGROUPS	"/proc/self/setgroups"
> + 
> + #define _PATH_PROC_ATTR_CURRENT	"/proc/self/attr/current"
> + #define _PATH_PROC_ATTR_EXEC	"/proc/self/attr/exec"
> +diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
> +index fccdba2..9fdce93 100644
> +--- a/sys-utils/unshare.c
> ++++ b/sys-utils/unshare.c
> +@@ -39,6 +39,24 @@
> + #include "pathnames.h"
> + #include "all-io.h"
> + 
> ++static void disable_setgroups(void)
> ++{
> ++	const char *file = _PATH_PROC_SETGROUPS;
> ++	const char *deny = "deny";
> ++	int fd;
> ++
> ++	fd = open(file, O_WRONLY);
> ++	if (fd < 0) {
> ++		if (errno == ENOENT)
> ++			return;
> ++		 err(EXIT_FAILURE, _("cannot open %s"), file);
> ++	}
> ++
> ++	if (write_all(fd, deny, strlen(deny)))
> ++		err(EXIT_FAILURE, _("write failed %s"), file);
> ++	close(fd);
> ++}
> ++
> + static void map_id(const char *file, uint32_t from, uint32_t to)
> + {
> + 	char *buf;
> +@@ -181,6 +199,7 @@ int main(int argc, char *argv[])
> + 	}
> + 
> + 	if (maproot) {
> ++		disable_setgroups();
> + 		map_id(_PATH_PROC_UIDMAP, 0, real_euid);
> + 		map_id(_PATH_PROC_GIDMAP, 0, real_egid);
> + 	}
> 
>

Reply to:

References:
- Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
  - From: Kirill Smelkov <kirr@nexedi.com>

Prev by Date: Bug#781233: marked as done (unblock: parted/3.2-7)
Next by Date: Processed: Re: Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Previous by thread: Processed: util-linux 2.25.2-6 now uploaded, please unblock.
Next by thread: Processed: Re: Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Index(es):
- Date
- Thread