[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#60890: least-authority-wrapper and make-forkexec-constructor composi
|
From: |
Maxim Cournoyer |
|
Subject: |
bug#60890: least-authority-wrapper and make-forkexec-constructor composition problem |
|
Date: |
Tue, 17 Jan 2023 14:30:03 -0500 |
Hi,
I'm creating a bug to keep track of a problem that was uncovered when
attempting to migrate the jami-service-type service to use the
least-authority-wrapper [0], to avoid forgetting about it.
It was found that using something like:
--8<---------------cut here---------------start------------->8---
(make-forkexec-constructor
(least-authority
(list (file-append coreutils "/bin/true"))
(mappings (delq 'user %namespaces))
#:user "nobody"
#:group "nobody"))
--8<---------------cut here---------------end--------------->8---
Would fail with EPERM, because in order to be able to drop the user
namespace, the CAP_SYS_ADMIN capability is required, but in the above
case, make-forkexec-constructor has already changed the user to
"nobody", which lacks such capability.
The solution proposed by Ludovic in would be to [1]:
> [...] add #:user and #:group to ‘least-authority-wrapper’ and
> have it call setuid/setgid. ‘make-forkexec-constructor’ doesn’t need to
> be modified, but the user simply won’t pass #:user and #:group to it.
[0] https://issues.guix.gnu.org/54786#16
[1] https://issues.guix.gnu.org/54786#17
--
Thanks,
Maxim
- bug#60890: least-authority-wrapper and make-forkexec-constructor composition problem,
Maxim Cournoyer <=