Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Control: tag -1 confirmed Niels Thykier ni...@thykier.net (2015-03-30): I have unblocked this now and am CC'ing KiBi for a d-i ack. I am also quoting in full for his convenience. No objections, thanks. Mraw, KiBi. signature.asc Description: Digital signature
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Control: tags -1 d-i
On 2015-03-25 14:58, Kirill Smelkov wrote:
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock, confirmed, moreinfo
Hello up there,
Recently I've discovered that `unshare -r`, though it used to work in
2014, stopped working for Jessie:
https://bugs.debian.org/780841
The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10
and pre-approved by RT member Niels Thykier on debian-release@l.d.o:
https://lists.debian.org/debian-release/2015/03/msg00661.html
Niels asked to file an unblock request with full intended debdiff, which
I do here. It is an NMU, because there is no reply from Andreas for
several days. Hope it is ok.
Thanks beforehand,
Kirill
Hi,
I have unblocked this now and am CC'ing KiBi for a d-i ack. I am also
quoting in full for his convenience.
Thanks,
~Niels
diff --git a/debian/changelog b/debian/changelog
index 7850238..0d80c1b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+util-linux (2.25.2-5.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841)
+
+ -- Kirill Smelkov k...@nexedi.com Wed, 25 Mar 2015 16:23:34 +0300
+
util-linux (2.25.2-5) unstable; urgency=medium
* Revert Trigger update of initramfs on upgrades (Closes: #773354)
diff --git a/debian/patches/series b/debian/patches/series
index 6428b26..577ad52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ Update-Japanese-translation.patch
Update-Russian-translation.patch
Trivial-unfuzzy.patch
libblkid-care-about-unsafe-chars-in-cache.patch
+unshare-Fix-map-root-user-to-work-on-new-kernels.patch
diff --git
a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
new file mode 100644
index 000..9a469c1
--- /dev/null
+++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
@@ -0,0 +1,71 @@
+From: Eric W. Biederman ebied...@xmission.com
+Date: Wed, 17 Dec 2014 17:06:03 -0600
+Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels
+Origin:
https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119
+
+In rare cases droping groups with setgroups(0, NULL) is an operation
+that can grant a user additional privileges. User namespaces were
+allwoing that operation to unprivileged users and that had to be
+fixed.
+
+Update unshare --map-root-user to disable the setgroups operation
+before setting the gid_map.
+
+This is needed as after the security fix gid_map is restricted to
+privileged users unless setgroups has been disabled.
+
+Signed-off-by: Eric W. Biederman ebied...@xmission.com
+---
+ include/pathnames.h | 1 +
+ sys-utils/unshare.c | 19 +++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/include/pathnames.h b/include/pathnames.h
+index 0d21b98..cbc93b7 100644
+--- a/include/pathnames.h
b/include/pathnames.h
+@@ -93,6 +93,7 @@
+
+ #define _PATH_PROC_UIDMAP /proc/self/uid_map
+ #define _PATH_PROC_GIDMAP /proc/self/gid_map
++#define _PATH_PROC_SETGROUPS/proc/self/setgroups
+
+ #define _PATH_PROC_ATTR_CURRENT /proc/self/attr/current
+ #define _PATH_PROC_ATTR_EXEC/proc/self/attr/exec
+diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
+index fccdba2..9fdce93 100644
+--- a/sys-utils/unshare.c
b/sys-utils/unshare.c
+@@ -39,6 +39,24 @@
+ #include pathnames.h
+ #include all-io.h
+
++static void disable_setgroups(void)
++{
++const char *file = _PATH_PROC_SETGROUPS;
++const char *deny = deny;
++int fd;
++
++fd = open(file, O_WRONLY);
++if (fd 0) {
++if (errno == ENOENT)
++return;
++ err(EXIT_FAILURE, _(cannot open %s), file);
++}
++
++if (write_all(fd, deny, strlen(deny)))
++err(EXIT_FAILURE, _(write failed %s), file);
++close(fd);
++}
++
+ static void map_id(const char *file, uint32_t from, uint32_t to)
+ {
+ char *buf;
+@@ -181,6 +199,7 @@ int main(int argc, char *argv[])
+ }
+
+ if (maproot) {
++disable_setgroups();
+ map_id(_PATH_PROC_UIDMAP, 0, real_euid);
+ map_id(_PATH_PROC_GIDMAP, 0, real_egid);
+ }
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
On Sat, Mar 28, 2015 at 07:41:40PM +0100, Niels Thykier wrote: On 2015-03-26 07:54, Kirill Smelkov wrote: [...] Hi Niels. Thanks for replying and yes, I do need some kind of sponsorship/help with upload as I do not have upload rights (I'm not a Debian developer nor Debian member - currently just a person from outside). I would be glad if you, or someone else, sponsor me with this upload, and this way I'll also start to slowly becoming a bit more involved with Debian which I was thinking about for a long time, but had no occasion to start. Thanks again, Kirill Hi Kirill, Ok, you probably want to file an RFS bug against sponsorship-requests[1] (and maybe also ask on #debian-mentors if you use IRC) if you have not already done so. Hi Niels, Thanks for suggesting this. I just did: https://bugs.debian.org/781455 https://mentors.debian.net/package/util-linux Hope it is ok, and thanks beforehand for probably reviewing/sponsoring it, Kirill -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
On 2015-03-26 07:54, Kirill Smelkov wrote: [...] Hi Niels. Thanks for replying and yes, I do need some kind of sponsorship/help with upload as I do not have upload rights (I'm not a Debian developer nor Debian member - currently just a person from outside). I would be glad if you, or someone else, sponsor me with this upload, and this way I'll also start to slowly becoming a bit more involved with Debian which I was thinking about for a long time, but had no occasion to start. Thanks again, Kirill Hi Kirill, Ok, you probably want to file an RFS bug against sponsorship-requests[1] (and maybe also ask on #debian-mentors if you use IRC) if you have not already done so. Thanks, ~Niels [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=sponsorship-requests;dist=unstable -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
On Wed, Mar 25, 2015 at 09:13:08PM +0100, Niels Thykier wrote: Control: severity -1 normal On 2015-03-25 14:58, Kirill Smelkov wrote: Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock, confirmed, moreinfo Hello up there, Recently I've discovered that `unshare -r`, though it used to work in 2014, stopped working for Jessie: https://bugs.debian.org/780841 The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 and pre-approved by RT member Niels Thykier on debian-release@l.d.o: https://lists.debian.org/debian-release/2015/03/msg00661.html Niels asked to file an unblock request with full intended debdiff, which I do here. It is an NMU, because there is no reply from Andreas for several days. Hope it is ok. Thanks beforehand, Kirill [...] Hi, Thanks for filing the bug. You mention that this is an NMU, but I do not see it being uploaded? Do you need someone to sponsor the upload? Hi Niels. Thanks for replying and yes, I do need some kind of sponsorship/help with upload as I do not have upload rights (I'm not a Debian developer nor Debian member - currently just a person from outside). I would be glad if you, or someone else, sponsor me with this upload, and this way I'll also start to slowly becoming a bit more involved with Debian which I was thinking about for a long time, but had no occasion to start. Thanks again, Kirill -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock, confirmed, moreinfo
Hello up there,
Recently I've discovered that `unshare -r`, though it used to work in
2014, stopped working for Jessie:
https://bugs.debian.org/780841
The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10
and pre-approved by RT member Niels Thykier on debian-release@l.d.o:
https://lists.debian.org/debian-release/2015/03/msg00661.html
Niels asked to file an unblock request with full intended debdiff, which
I do here. It is an NMU, because there is no reply from Andreas for
several days. Hope it is ok.
Thanks beforehand,
Kirill
diff --git a/debian/changelog b/debian/changelog
index 7850238..0d80c1b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+util-linux (2.25.2-5.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841)
+
+ -- Kirill Smelkov k...@nexedi.com Wed, 25 Mar 2015 16:23:34 +0300
+
util-linux (2.25.2-5) unstable; urgency=medium
* Revert Trigger update of initramfs on upgrades (Closes: #773354)
diff --git a/debian/patches/series b/debian/patches/series
index 6428b26..577ad52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,4 @@ Update-Japanese-translation.patch
Update-Russian-translation.patch
Trivial-unfuzzy.patch
libblkid-care-about-unsafe-chars-in-cache.patch
+unshare-Fix-map-root-user-to-work-on-new-kernels.patch
diff --git
a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
new file mode 100644
index 000..9a469c1
--- /dev/null
+++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch
@@ -0,0 +1,71 @@
+From: Eric W. Biederman ebied...@xmission.com
+Date: Wed, 17 Dec 2014 17:06:03 -0600
+Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels
+Origin:
https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119
+
+In rare cases droping groups with setgroups(0, NULL) is an operation
+that can grant a user additional privileges. User namespaces were
+allwoing that operation to unprivileged users and that had to be
+fixed.
+
+Update unshare --map-root-user to disable the setgroups operation
+before setting the gid_map.
+
+This is needed as after the security fix gid_map is restricted to
+privileged users unless setgroups has been disabled.
+
+Signed-off-by: Eric W. Biederman ebied...@xmission.com
+---
+ include/pathnames.h | 1 +
+ sys-utils/unshare.c | 19 +++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/include/pathnames.h b/include/pathnames.h
+index 0d21b98..cbc93b7 100644
+--- a/include/pathnames.h
b/include/pathnames.h
+@@ -93,6 +93,7 @@
+
+ #define _PATH_PROC_UIDMAP /proc/self/uid_map
+ #define _PATH_PROC_GIDMAP /proc/self/gid_map
++#define _PATH_PROC_SETGROUPS /proc/self/setgroups
+
+ #define _PATH_PROC_ATTR_CURRENT /proc/self/attr/current
+ #define _PATH_PROC_ATTR_EXEC /proc/self/attr/exec
+diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
+index fccdba2..9fdce93 100644
+--- a/sys-utils/unshare.c
b/sys-utils/unshare.c
+@@ -39,6 +39,24 @@
+ #include pathnames.h
+ #include all-io.h
+
++static void disable_setgroups(void)
++{
++ const char *file = _PATH_PROC_SETGROUPS;
++ const char *deny = deny;
++ int fd;
++
++ fd = open(file, O_WRONLY);
++ if (fd 0) {
++ if (errno == ENOENT)
++ return;
++ err(EXIT_FAILURE, _(cannot open %s), file);
++ }
++
++ if (write_all(fd, deny, strlen(deny)))
++ err(EXIT_FAILURE, _(write failed %s), file);
++ close(fd);
++}
++
+ static void map_id(const char *file, uint32_t from, uint32_t to)
+ {
+ char *buf;
+@@ -181,6 +199,7 @@ int main(int argc, char *argv[])
+ }
+
+ if (maproot) {
++ disable_setgroups();
+ map_id(_PATH_PROC_UIDMAP, 0, real_euid);
+ map_id(_PATH_PROC_GIDMAP, 0, real_egid);
+ }
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Control: severity -1 normal On 2015-03-25 14:58, Kirill Smelkov wrote: Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock, confirmed, moreinfo Hello up there, Recently I've discovered that `unshare -r`, though it used to work in 2014, stopped working for Jessie: https://bugs.debian.org/780841 The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 and pre-approved by RT member Niels Thykier on debian-release@l.d.o: https://lists.debian.org/debian-release/2015/03/msg00661.html Niels asked to file an unblock request with full intended debdiff, which I do here. It is an NMU, because there is no reply from Andreas for several days. Hope it is ok. Thanks beforehand, Kirill [...] Hi, Thanks for filing the bug. You mention that this is an NMU, but I do not see it being uploaded? Do you need someone to sponsor the upload? Thanks, ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
