Your message dated Wed, 01 Apr 2015 20:14:43 +0100 with message-id <1427915683.622.7.ca...@adam-barratt.org.uk> and subject line Re: Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1 has caused the Debian Bug report #781163, regarding unblock (pre-approved): util-linux/2.25.2-6 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 781163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781163 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: important User: release.debian....@packages.debian.org Usertags: unblock, confirmed, moreinfo Hello up there, Recently I've discovered that `unshare -r`, though it used to work in 2014, stopped working for Jessie: https://bugs.debian.org/780841 The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 and pre-approved by RT member Niels Thykier on debian-release@l.d.o: https://lists.debian.org/debian-release/2015/03/msg00661.html Niels asked to file an unblock request with full intended debdiff, which I do here. It is an NMU, because there is no reply from Andreas for several days. Hope it is ok. Thanks beforehand, Kirill diff --git a/debian/changelog b/debian/changelog index 7850238..0d80c1b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +util-linux (2.25.2-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841) + + -- Kirill Smelkov <k...@nexedi.com> Wed, 25 Mar 2015 16:23:34 +0300 + util-linux (2.25.2-5) unstable; urgency=medium * Revert "Trigger update of initramfs on upgrades" (Closes: #773354) diff --git a/debian/patches/series b/debian/patches/series index 6428b26..577ad52 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -17,3 +17,4 @@ Update-Japanese-translation.patch Update-Russian-translation.patch Trivial-unfuzzy.patch libblkid-care-about-unsafe-chars-in-cache.patch +unshare-Fix-map-root-user-to-work-on-new-kernels.patch diff --git a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch new file mode 100644 index 0000000..9a469c1 --- /dev/null +++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch @@ -0,0 +1,71 @@ +From: "Eric W. Biederman" <ebied...@xmission.com> +Date: Wed, 17 Dec 2014 17:06:03 -0600 +Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels +Origin: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119 + +In rare cases droping groups with setgroups(0, NULL) is an operation +that can grant a user additional privileges. User namespaces were +allwoing that operation to unprivileged users and that had to be +fixed. + +Update unshare --map-root-user to disable the setgroups operation +before setting the gid_map. + +This is needed as after the security fix gid_map is restricted to +privileged users unless setgroups has been disabled. + +Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> +--- + include/pathnames.h | 1 + + sys-utils/unshare.c | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/include/pathnames.h b/include/pathnames.h +index 0d21b98..cbc93b7 100644 +--- a/include/pathnames.h ++++ b/include/pathnames.h +@@ -93,6 +93,7 @@ + + #define _PATH_PROC_UIDMAP "/proc/self/uid_map" + #define _PATH_PROC_GIDMAP "/proc/self/gid_map" ++#define _PATH_PROC_SETGROUPS "/proc/self/setgroups" + + #define _PATH_PROC_ATTR_CURRENT "/proc/self/attr/current" + #define _PATH_PROC_ATTR_EXEC "/proc/self/attr/exec" +diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c +index fccdba2..9fdce93 100644 +--- a/sys-utils/unshare.c ++++ b/sys-utils/unshare.c +@@ -39,6 +39,24 @@ + #include "pathnames.h" + #include "all-io.h" + ++static void disable_setgroups(void) ++{ ++ const char *file = _PATH_PROC_SETGROUPS; ++ const char *deny = "deny"; ++ int fd; ++ ++ fd = open(file, O_WRONLY); ++ if (fd < 0) { ++ if (errno == ENOENT) ++ return; ++ err(EXIT_FAILURE, _("cannot open %s"), file); ++ } ++ ++ if (write_all(fd, deny, strlen(deny))) ++ err(EXIT_FAILURE, _("write failed %s"), file); ++ close(fd); ++} ++ + static void map_id(const char *file, uint32_t from, uint32_t to) + { + char *buf; +@@ -181,6 +199,7 @@ int main(int argc, char *argv[]) + } + + if (maproot) { ++ disable_setgroups(); + map_id(_PATH_PROC_UIDMAP, 0, real_euid); + map_id(_PATH_PROC_GIDMAP, 0, real_egid); + }
--- End Message ---
--- Begin Message ---On Wed, 2015-04-01 at 19:12 +0200, Cyril Brulebois wrote: > Control: tag -1 confirmed > > Niels Thykier <ni...@thykier.net> (2015-03-30): > > I have unblocked this now and am CC'ing KiBi for a d-i ack. I am also > > quoting in full for his convenience. > > No objections, thanks. -udeb added. Regards, Adam
--- End Message ---
