Hello,
noticed this on Guix (https://issues.guix.gnu.org/77862#5) with
coreutils 9.1 and also verified with latest release 9.7.
When building and running the testsuite of coreutils on Linux in a user
namespace as unprivileged user the latter may fail chgrp test cases:
FAIL: tests/chgrp/default-no-deref.sh
FAIL: tests/chgrp/no-x.sh
FAIL: tests/chgrp/posix-H.sh
FAIL: tests/chgrp/recurse.sh
FAIL: tests/chgrp/basic.sh
The cause for this are supplementary groups of the build process which
are not mapped in the user namespace via /proc/pid/gid_map.
Inside the user namespace these groups are reported as the overflow gid
(by default 65534). require_membership_in_two_groups_ in init.cfg has no
exemption for this gid and the chgrp tests will attempt to change
ownership to this gid, assuming this to be valid as usually is the case
when changing ownership to a supplementary group. However, this is not
allowed for the unmapped overflow gid and the syscall will fail.
The same problem occurs in gnulib-tests, but I suppose I should report
this to the bug-gnulib list.
This was noticed during experimentation with Guix's new feature to run
the build daemon as unprivileged user process, which relies on
unprivileged user namespaces to construct the build container. As
discussed in the linked issue it isn't really an option to drop the
supplementary groups in this setting.
I think the overflow gid should be exempt in
require_membership_in_two_groups_ as was already implemented for special
gids on MacOS.
Best,
keinflue
