subject:"bug#45069\: Guix System\: unprivileged user cannot create user namespaces\?"

bug#45069: Guix System: unprivileged user cannot create user namespaces?

2020-12-07 Thread Bengt Richter

Hi Vagrant,

On +2020-12-07 09:55:31 -0800, Vagrant Cascadian wrote:
> On 2020-12-07, zimoun wrote:
> > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt  wrote:
> >
> >>> Can you try, as root on Guix System:
> >>>
> >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >>
> >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or 
> >> directory
> >
> > In gnu/build/linux-container.scm, it reads:
> >
> > --8<---cut here---start->8---
> > (define (unprivileged-user-namespace-supported?)
> >   "Return #t if user namespaces can be created by unprivileged users."
> >   (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
> > (if (file-exists? userns-file)
> > (eqv? #\1 (call-with-input-file userns-file read-char))
> > #t)))
> > --8<---cut here---end--->8---
> >
> > Does it mean that the Linux kernel on Guix System does not support
> > namespaces by unprivileged users?
> 
> > Turning #t to #f should work on Guix System and it appears to me a
> > severe bug if not.  What do I miss?  Please could someone fill my gap? :-)
> 
> The /proc/sys/kernel_unprivileged_userns_clone file is specific to
> Debian and Ubuntu packaged linux kernel; it is a patchset not applied
> upstream, as far as I am aware. I'm not sure if other distros support
> disabling and enabling this feature using this mechanism.
> 
>   
> https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
> 
> live well,
and as virtuously as you are able ... so that spies can't help but admire 
and reflect :)
>   vagrant

Another data point FYI:

On my pureos system, which is based on debian upstream:
uname -a
=-> Linux LionPure 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) 
x86_64 GNU/Linux
and
ls -l /proc/sys/kernel/unprivileged_userns_clone
-rw-r--r-- 1 root root 0 Dec  8 03:03 
/proc/sys/kernel/unprivileged_userns_clone

and (noticing that the items appear to be short and ascii lines, hence 
thereupon  head :)

--8<---cut here---start->8---
od -a -t x1 /proc/sys/kernel/unprivileged_userns_clone 
000   0  nl
 30  0a
002
head /proc/sys/kernel/unprivileged_userns_clone 
0
--8<---cut here---end--->8---

Not sure this tells you anything useful, but there is also:
--8<---cut here---start->8---
head /proc/sys/user/*
==> /proc/sys/user/max_cgroup_namespaces <==
128163

==> /proc/sys/user/max_inotify_instances <==
128

==> /proc/sys/user/max_inotify_watches <==
65536

==> /proc/sys/user/max_ipc_namespaces <==
128163

==> /proc/sys/user/max_mnt_namespaces <==
128163

==> /proc/sys/user/max_net_namespaces <==
128163

==> /proc/sys/user/max_pid_namespaces <==
128163

==> /proc/sys/user/max_user_namespaces <==
128163

==> /proc/sys/user/max_uts_namespaces <==
128163
--8<---cut here---end--->8---

HTH some way :)
-- 
Regards,
Bengt Richter

bug#45069: Guix System: unprivileged user cannot create user namespaces?

2020-12-07 Thread zimoun

Hi Vagrant,

Sorry if I am naive, I am trying to understand and it appears that
pieces are missing in my bag. :-)

On Mon, 07 Dec 2020 at 09:55, Vagrant Cascadian  wrote:

> The /proc/sys/kernel_unprivileged_userns_clone file is specific to
> Debian and Ubuntu packaged linux kernel; it is a patchset not applied
> upstream, as far as I am aware. I'm not sure if other distros support
> disabling and enabling this feature using this mechanism.

Thanks.  I still do not understand the message from Guix System:

--8<---cut here---start->8---
~/co/guix (master)$ guix environment -C guix
guix environment: error: cannot create container: unprivileged user cannot 
create user namespaces
guix environment: error: please set /proc/sys/kernel/unprivileged_userns_clone 
to "1"
--8<---cut here---end--->8---

(see
)

Why does this appear if «set /proc/sys/kernel/unprivileged_userns_clone to "1"» 
does not make sense on Guix System?

Then Tobias answered: (see )

yasu 写道：
> Now, I don't use Debian at all (I use Guix System) and do you 
> think
> this is a Bug in Guix (in that this Debian specific word should 
> never
> even be mentioned in Guix?)

It's not Debian-specific.  It is a bug in Guix.

It should try to create a namespace and properly report an error 
iff that fails, not prematurely abort after farting about in 
/proc.

A separate unprivileged-user-namespace-supported? is broken by 
design.  Reverting commit 8bc5ca5 works around this but it wasn't 
to blame.

so I miss why does a similar patch as,

>   
> https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

is not applied to Guix System?  Is it because a technical or else reason
behind?  Or is it simply because no one takes the time to fix the
problem?

All the best,
simon

bug#45069: Guix System: unprivileged user cannot create user namespaces?

2020-12-07 Thread Vagrant Cascadian

On 2020-12-07, zimoun wrote:
> On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt  wrote:
>
>>> Can you try, as root on Guix System:
>>>
>>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>>
>> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
>
> In gnu/build/linux-container.scm, it reads:
>
> --8<---cut here---start->8---
> (define (unprivileged-user-namespace-supported?)
>   "Return #t if user namespaces can be created by unprivileged users."
>   (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
> (if (file-exists? userns-file)
> (eqv? #\1 (call-with-input-file userns-file read-char))
> #t)))
> --8<---cut here---end--->8---
>
> Does it mean that the Linux kernel on Guix System does not support
> namespaces by unprivileged users?

> Turning #t to #f should work on Guix System and it appears to me a
> severe bug if not.  What do I miss?  Please could someone fill my gap? :-)

The /proc/sys/kernel_unprivileged_userns_clone file is specific to
Debian and Ubuntu packaged linux kernel; it is a patchset not applied
upstream, as far as I am aware. I'm not sure if other distros support
disabling and enabling this feature using this mechanism.

  
https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

live well,
  vagrant


signature.asc
Description: PGP signature

bug#45069: Guix System: unprivileged user cannot create user namespaces?

2020-12-07 Thread zimoun

Hi,

On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt  wrote:

>> Can you try, as root on Guix System:
>>
>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
>
> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory

In gnu/build/linux-container.scm, it reads:

--8<---cut here---start->8---
(define (unprivileged-user-namespace-supported?)
  "Return #t if user namespaces can be created by unprivileged users."
  (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
(if (file-exists? userns-file)
(eqv? #\1 (call-with-input-file userns-file read-char))
#t)))
--8<---cut here---end--->8---

Does it mean that the Linux kernel on Guix System does not support
namespaces by unprivileged users?

Turning #t to #f should work on Guix System and it appears to me a
severe bug if not.  What do I miss?  Please could someone fill my gap? :-)

All the best,
simon

bug#45069: Guix System: unprivileged user cannot create user namespaces?

bug#45069: Guix System: unprivileged user cannot create user namespaces?

bug#45069: Guix System: unprivileged user cannot create user namespaces?

bug#45069: Guix System: unprivileged user cannot create user namespaces?

4 matches

Site Navigation

Mail list logo

Footer information