On 03/05/2025 04:38, keinflue wrote:
Hello,
noticed this on Guix (https://issues.guix.gnu.org/77862#5) with
coreutils 9.1 and also verified with latest release 9.7.
When building and running the testsuite of coreutils on Linux in a user
namespace as unprivileged user the latter may fail chgrp test cases:
FAIL: tests/chgrp/default-no-deref.sh
FAIL: tests/chgrp/no-x.sh
FAIL: tests/chgrp/posix-H.sh
FAIL: tests/chgrp/recurse.sh
FAIL: tests/chgrp/basic.sh
The cause for this are supplementary groups of the build process which
are not mapped in the user namespace via /proc/pid/gid_map.
Inside the user namespace these groups are reported as the overflow gid
(by default 65534). require_membership_in_two_groups_ in init.cfg has no
exemption for this gid and the chgrp tests will attempt to change
ownership to this gid, assuming this to be valid as usually is the case
when changing ownership to a supplementary group. However, this is not
allowed for the unmapped overflow gid and the syscall will fail.
The same problem occurs in gnulib-tests, but I suppose I should report
this to the bug-gnulib list.
This was noticed during experimentation with Guix's new feature to run
the build daemon as unprivileged user process, which relies on
unprivileged user namespaces to construct the build container. As
discussed in the linked issue it isn't really an option to drop the
supplementary groups in this setting.
I think the overflow gid should be exempt in
require_membership_in_two_groups_ as was already implemented for special
gids on MacOS.
Thanks for the details.
I pushed the attached to avoid this issue.
Marking this as done.
cheers,
Padraig.
From 6218cb18b0b7bfdb78dbdd20f3c7ca513bca919c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <p...@draigbrady.com>
Date: Sat, 3 May 2025 09:59:16 +0100
Subject: [PATCH] tests: avoid false failures in user namespaces
* init.cfg (require_membership_in_two_groups_): Skip
overflow gids used in user namespaces, as one can't
chgrp() to these.
Fixes https://bugs.gnu.org/78225
---
init.cfg | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/init.cfg b/init.cfg
index 7e21f96c6..982418900 100644
--- a/init.cfg
+++ b/init.cfg
@@ -504,6 +504,10 @@ require_membership_in_two_groups_()
{
test $# = 0 || framework_failure_
+ # Skip overflow gids used in user namespaces
+ overflow_gid=$(cat /proc/sys/kernel/overflowgid 2>/dev/null)
+ : "${overflow_gid:=1}"
+
groups=
for group_ in 1 \
${COREUTILS_GROUPS-$( (id -G || /usr/xpg4/bin/id -G) 2>/dev/null)}
@@ -511,7 +515,7 @@ require_membership_in_two_groups_()
# Skip group numbers equal to 2**N - 1 for common N,
# as they are possibly reserved groups like 'nogroup'.
case $group_ in
- 1 | 32767 | 65535 | 2147483647 | 4294967295) ;;
+ $overflow_gid | 1 | 32767 | 65535 | 2147483647 | 4294967295) ;;
9223372036854775807 | 18446744073709551615) ;;
*) test -z "$groups" || groups="$groups "
groups="$groups$group_";;
--
2.49.0
