--- Begin Message ---
Package: sponsorship-requests
Severity: important
Tags: upstream patch
Hello up there,
Recently I've discovered that `unshare -r`, though it used to work in
2014, stopped working for Jessie:
https://bugs.debian.org/780841
The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10
and pre-approved by RT member Niels Thykier on debian-release@l.d.o:
https://lists.debian.org/debian-release/2015/03/msg00661.html
and then a proper unblock request filed:
https://bugs.debian.org/781163
Since I have no upload rights, in unblock request I've only presented a diff
for source package, and this way Niels suggested I should upload package with
the fix to mentors.debian.net and seek for a sponsor:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781163#22
which I do here.
Please, someone could you please sponsor this upload with important (imho) fix
to make `unshare -r` work again for Jessie? The fix was pre-approved by Andreas,
but somehow it turned out it is me who should care about actual upload being done.
Thanks beforehand,
Kirill
P.S. proposed debdiff to util-linux/2.25.2-5 (current sid/jessie version)
follows:
---- 8< ----
diff --git a/debian/changelog b/debian/changelog
index 7850238..0d80c1b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+util-linux (2.25.2-5.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841)
+
+ -- Kirill Smelkov <kirr@nexedi.com> Wed, 25 Mar 2015 16:23:34 +0300
+
util-linux (2.25.2-5) unstable; urgency=medium
* Revert "Trigger update of initramfs on upgrades" (Closes: #773354)
diff --git a/debian/patches/series b/debian/patches/series
index 6428b26..577ad52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ Update-Japanese-translation.patch
Update-Russian-translation.patch
Trivial-unfuzzy.patch
libblkid-care-about-unsafe-chars-in-cache.patch
+unshare-Fix-map-root-user-to-work-on-new-kernels.patch
diff --git a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
new file mode 100644
index 0000000..9a469c1
--- /dev/null
+++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
@@ -0,0 +1,71 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 17 Dec 2014 17:06:03 -0600
+Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels
+Origin: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119
+
+In rare cases droping groups with setgroups(0, NULL) is an operation
+that can grant a user additional privileges. User namespaces were
+allwoing that operation to unprivileged users and that had to be
+fixed.
+
+Update unshare --map-root-user to disable the setgroups operation
+before setting the gid_map.
+
+This is needed as after the security fix gid_map is restricted to
+privileged users unless setgroups has been disabled.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+---
+ include/pathnames.h | 1 +
+ sys-utils/unshare.c | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/include/pathnames.h b/include/pathnames.h
+index 0d21b98..cbc93b7 100644
+--- a/include/pathnames.h
++++ b/include/pathnames.h
+@@ -93,6 +93,7 @@
+
+ #define _PATH_PROC_UIDMAP "/proc/self/uid_map"
+ #define _PATH_PROC_GIDMAP "/proc/self/gid_map"
++#define _PATH_PROC_SETGROUPS "/proc/self/setgroups"
+
+ #define _PATH_PROC_ATTR_CURRENT "/proc/self/attr/current"
+ #define _PATH_PROC_ATTR_EXEC "/proc/self/attr/exec"
+diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
+index fccdba2..9fdce93 100644
+--- a/sys-utils/unshare.c
++++ b/sys-utils/unshare.c
+@@ -39,6 +39,24 @@
+ #include "pathnames.h"
+ #include "all-io.h"
+
++static void disable_setgroups(void)
++{
++ const char *file = _PATH_PROC_SETGROUPS;
++ const char *deny = "deny";
++ int fd;
++
++ fd = open(file, O_WRONLY);
++ if (fd < 0) {
++ if (errno == ENOENT)
++ return;
++ err(EXIT_FAILURE, _("cannot open %s"), file);
++ }
++
++ if (write_all(fd, deny, strlen(deny)))
++ err(EXIT_FAILURE, _("write failed %s"), file);
++ close(fd);
++}
++
+ static void map_id(const char *file, uint32_t from, uint32_t to)
+ {
+ char *buf;
+@@ -181,6 +199,7 @@ int main(int argc, char *argv[])
+ }
+
+ if (maproot) {
++ disable_setgroups();
+ map_id(_PATH_PROC_UIDMAP, 0, real_euid);
+ map_id(_PATH_PROC_GIDMAP, 0, real_egid);
+ }
--- End Message ---
--- Begin Message ---
Hello Kirill Smelkov!
On Sun, Mar 29, 2015 at 05:49:11PM +0300, Kirill Smelkov wrote:
> Package: sponsorship-requests
> Severity: important
> Tags: upstream patch
>
> Hello up there,
>
> Recently I've discovered that `unshare -r`, though it used to work in
> 2014, stopped working for Jessie:
>
> https://bugs.debian.org/780841
>
> The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10
>
> and pre-approved by RT member Niels Thykier on debian-release@l.d.o:
>
> https://lists.debian.org/debian-release/2015/03/msg00661.html
>
> and then a proper unblock request filed:
>
> https://bugs.debian.org/781163
>
>
> Since I have no upload rights, in unblock request I've only presented a diff
> for source package, and this way Niels suggested I should upload package with
> the fix to mentors.debian.net and seek for a sponsor:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781163#22
>
> which I do here.
Thanks for your nice bug summary, solution and also for doing
the administrative trivia to pave the way.
>
> Please, someone could you please sponsor this upload with important (imho) fix
> to make `unshare -r` work again for Jessie?
I've uploaded an eqvivalent package to your proposed NMU.
(Only equivalent because I care about the VCS history. Please
do check out the Vcs-Git field and the git repository for pkg-util-linux
if you're interested in doing further work. Your help with bug-triaging
util-linux bugs would be very welcome!)
> The fix was pre-approved by Andreas, but somehow it turned out it is me who
> should care about actual upload being done.
As always, the one who wants to get something done needs to take the lead.
Please remember we're all volunteers here (atleast I definitely am).
Regards,
Andreas Henriksson
--- End Message ---