Bug#781455: RFS: util-linux/2.25.2-5.1 (fixing `unshare -r` regression) [NMU]

Sun, 29 Mar 2015 07:51:35 -0700 

Package: sponsorship-requests
Severity: important
Tags: upstream patch

Hello up there,

Recently I've discovered that `unshare -r`, though it used to work in
2014, stopped working for Jessie:

    https://bugs.debian.org/780841

The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10

and pre-approved by RT member Niels Thykier on debian-release@l.d.o:

    https://lists.debian.org/debian-release/2015/03/msg00661.html

and then a proper unblock request filed:

    https://bugs.debian.org/781163


Since I have no upload rights, in unblock request I've only presented a diff
for source package, and this way Niels suggested I should upload package with
the fix to mentors.debian.net and seek for a sponsor:

    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781163#22

which I do here.

Please, someone could you please sponsor this upload with important (imho) fix
to make `unshare -r` work again for Jessie? The fix was pre-approved by Andreas,
but somehow it turned out it is me who should care about actual upload being 
done.

Thanks beforehand,
Kirill

P.S. proposed debdiff to util-linux/2.25.2-5 (current sid/jessie version)
follows:

---- 8< ----
diff --git a/debian/changelog b/debian/changelog
index 7850238..0d80c1b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+util-linux (2.25.2-5.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841)
+
+ -- Kirill Smelkov <k...@nexedi.com>  Wed, 25 Mar 2015 16:23:34 +0300
+
 util-linux (2.25.2-5) unstable; urgency=medium
 
   * Revert "Trigger update of initramfs on upgrades" (Closes: #773354)
diff --git a/debian/patches/series b/debian/patches/series
index 6428b26..577ad52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ Update-Japanese-translation.patch
 Update-Russian-translation.patch
 Trivial-unfuzzy.patch
 libblkid-care-about-unsafe-chars-in-cache.patch
+unshare-Fix-map-root-user-to-work-on-new-kernels.patch
diff --git 
a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch 
b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
new file mode 100644
index 0000000..9a469c1
--- /dev/null
+++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
@@ -0,0 +1,71 @@
+From: "Eric W. Biederman" <ebied...@xmission.com>
+Date: Wed, 17 Dec 2014 17:06:03 -0600
+Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels
+Origin: 
https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119
+
+In rare cases droping groups with setgroups(0, NULL) is an operation
+that can grant a user additional privileges.  User namespaces were
+allwoing that operation to unprivileged users and that had to be
+fixed.
+
+Update unshare --map-root-user to disable the setgroups operation
+before setting the gid_map.
+
+This is needed as after the security fix gid_map is restricted to
+privileged users unless setgroups has been disabled.
+
+Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
+---
+ include/pathnames.h |  1 +
+ sys-utils/unshare.c | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/include/pathnames.h b/include/pathnames.h
+index 0d21b98..cbc93b7 100644
+--- a/include/pathnames.h
++++ b/include/pathnames.h
+@@ -93,6 +93,7 @@
+ 
+ #define _PATH_PROC_UIDMAP     "/proc/self/uid_map"
+ #define _PATH_PROC_GIDMAP     "/proc/self/gid_map"
++#define _PATH_PROC_SETGROUPS  "/proc/self/setgroups"
+ 
+ #define _PATH_PROC_ATTR_CURRENT       "/proc/self/attr/current"
+ #define _PATH_PROC_ATTR_EXEC  "/proc/self/attr/exec"
+diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
+index fccdba2..9fdce93 100644
+--- a/sys-utils/unshare.c
++++ b/sys-utils/unshare.c
+@@ -39,6 +39,24 @@
+ #include "pathnames.h"
+ #include "all-io.h"
+ 
++static void disable_setgroups(void)
++{
++      const char *file = _PATH_PROC_SETGROUPS;
++      const char *deny = "deny";
++      int fd;
++
++      fd = open(file, O_WRONLY);
++      if (fd < 0) {
++              if (errno == ENOENT)
++                      return;
++               err(EXIT_FAILURE, _("cannot open %s"), file);
++      }
++
++      if (write_all(fd, deny, strlen(deny)))
++              err(EXIT_FAILURE, _("write failed %s"), file);
++      close(fd);
++}
++
+ static void map_id(const char *file, uint32_t from, uint32_t to)
+ {
+       char *buf;
+@@ -181,6 +199,7 @@ int main(int argc, char *argv[])
+       }
+ 
+       if (maproot) {
++              disable_setgroups();
+               map_id(_PATH_PROC_UIDMAP, 0, real_euid);
+               map_id(_PATH_PROC_GIDMAP, 0, real_egid);
+       }


-- 
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150329144911.ga24...@teco.navytux.spb.ru

Reply via email to