[drkonqi] [Bug 478306] New: Core excavator is not compatible with my pam_namespace setup

Sat, 09 Dec 2023 07:13:41 -0800 

https://bugs.kde.org/show_bug.cgi?id=478306

            Bug ID: 478306
           Summary: Core excavator is not compatible with my pam_namespace
                    setup
    Classification: Applications
           Product: drkonqi
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: plasma-b...@kde.org
          Reporter: k...@hexchain.org
  Target Milestone: ---

SUMMARY
I have a pam_namespace configuration in place to make /tmp private for each
user[1]. After a crash, drkonqi tries to excavate the core file with a
privileged helper process, but the core ends up in the root mount namespace,
and being inaccessible by the user process:

# ls -l /proc/self/ns/mnt
lrwxrwxrwx 1 root root 0 Dec  9 23:09 /proc/self/ns/mnt -> 'mnt:[4026531841]'
# ls -l /tmp/drkonqi-coredump-excavator.qemVAY
total 916492
-rw-r--r-- 1 hexchain root 938487808 Dec  9 22:56 core

% ls -l /proc/self/ns/mnt
lrwxrwxrwx 1 hexchain hexchain 0 Dec  9 23:10 /proc/self/ns/mnt ->
mnt:[4026533106]
% ls -l /tmp/drkonqi*
total 88
-rw-r--r-- 1 hexchain hexchain 87467 Dec  9 13:14 sentry_payload.json

Is it possible to make drkonqi compatible with such kind of setup?

STEPS TO REPRODUCE
1. Set up pam_namespace; see [1].
2. Let kwin_wayland crash

OBSERVED RESULT
drkonqi-polkit-helper[131080]: Core dump excavation complete 0
QProcess::NormalExit "/tmp/drkonqi-coredump-excavator.qemVAY/core"
drkonqi[130864]: true QDBusError("", "")
"/tmp/drkonqi-coredump-excavator.qemVAY/core"
drkonqi[130864]: Failed to move excavated core to target location
QFileInfo(/tmp/drkonqi-coredump-excavator.qemVAY/core)
"/tmp/drkonqi-core.gXtwZR/core"

EXPECTED RESULT
drkonqi should be able to successfully fetch the core.

SOFTWARE/OS VERSIONS
Operating System: Arch Linux 
KDE Plasma Version: 5.90.0
KDE Frameworks Version: 5.246.0
Qt Version: 6.6.1
Kernel Version: 6.6.5-arch1-1 (64-bit)
Graphics Platform: Wayland

drkonqi at c90d3a58

ADDITIONAL INFORMATION

[1] The configuration looks like this:

/etc/security/namespace.init:
```
#!/bin/sh
# It receives polydir path as $1, the instance path as $2,
# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
# and user name in $4.

if [ "$1" = "/tmp" ]; then
    user="$4"
    mkdir -p /tmp/{.X11,.XIM,.ICE,.font}-unix
    chown $user:$user /tmp/{.X11,.XIM,.ICE,.font}-unix
    chmod +t /tmp/{.X11,.XIM,.ICE,.font}-unix
fi

exit 0
```

/etc/security/namespace.conf:
```
/tmp    /tmp/user-private/      user:create     root
```

/etc/pam.d/system-login:
```
# append this line:
session    optional   pam_namespace.so
```

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to