Hello,
keinflue <keinf...@posteo.net> writes:
> I also had another look and I missed that effectively CAP_SETGID is
> required in the _parent_ namespace in order to use setgroups (because
> otherwise writing "deny" to /proc/[pid]/setgroups is essentially
> forced).
>
> But the same seems to also be required to map more than the own
> effective uid/gid of the process into the namespace.
Right, user_namespaces(7) makes it clear:
• The data written to uid_map (gid_map) must consist of a sin‐
gle line that maps the writing process's effective user ID
(group ID) in the parent user namespace to a user ID (group
ID) in the user namespace.
> So I guess neither solution of dropping or mapping supplementary
> groups will work completely unprivileged and the only solution is to
> modify or disable the coreutils test case.
Yes, I came to this conclusion as well.
I believe the attached Coreutils patch should fix that (yet to be
tested). Would be worth reporting upstream as well because in a way
it’s a failure of the test framework.
Thanks,
Ludo’.
diff --git a/init.cfg b/init.cfg
index 856aa2ee7..e19ec5a31 100644
--- a/init.cfg
+++ b/init.cfg
@@ -488,7 +488,12 @@ require_membership_in_two_groups_()
{
test $# = 0 || framework_failure_
- groups=${COREUTILS_GROUPS-$( (id -G || /usr/xpg4/bin/id -G) 2>/dev/null)}
+ # Always pretend this user account is not a member of any
+ # supplementary group. This avoids wrong expectations from tests
+ # when the supplementary group is the overflow GID as is the case
+ # when 'guix-daemon' runs as an unprivileged user that is part of
+ # supplementary groups such as 'kvm'.
+ groups=
case "$groups" in
*' '*) ;;
*) skip_ 'requires membership in two groups
