Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Control: tag -1 confirmed Niels Thykier ni...@thykier.net (2015-03-30): I have unblocked this now and am CC'ing KiBi for a d-i ack. I am also quoting in full for his convenience. No objections, thanks. Mraw, KiBi. signature.asc Description: Digital signature
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Control: tags -1 d-i On 2015-03-25 14:58, Kirill Smelkov wrote: Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock, confirmed, moreinfo Hello up there, Recently I've discovered that `unshare -r`, though it used to work in 2014, stopped working for Jessie: https://bugs.debian.org/780841 The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 and pre-approved by RT member Niels Thykier on debian-release@l.d.o: https://lists.debian.org/debian-release/2015/03/msg00661.html Niels asked to file an unblock request with full intended debdiff, which I do here. It is an NMU, because there is no reply from Andreas for several days. Hope it is ok. Thanks beforehand, Kirill Hi, I have unblocked this now and am CC'ing KiBi for a d-i ack. I am also quoting in full for his convenience. Thanks, ~Niels diff --git a/debian/changelog b/debian/changelog index 7850238..0d80c1b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +util-linux (2.25.2-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841) + + -- Kirill Smelkov k...@nexedi.com Wed, 25 Mar 2015 16:23:34 +0300 + util-linux (2.25.2-5) unstable; urgency=medium * Revert Trigger update of initramfs on upgrades (Closes: #773354) diff --git a/debian/patches/series b/debian/patches/series index 6428b26..577ad52 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -17,3 +17,4 @@ Update-Japanese-translation.patch Update-Russian-translation.patch Trivial-unfuzzy.patch libblkid-care-about-unsafe-chars-in-cache.patch +unshare-Fix-map-root-user-to-work-on-new-kernels.patch diff --git a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch new file mode 100644 index 000..9a469c1 --- /dev/null +++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch @@ -0,0 +1,71 @@ +From: Eric W. Biederman ebied...@xmission.com +Date: Wed, 17 Dec 2014 17:06:03 -0600 +Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels +Origin: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119 + +In rare cases droping groups with setgroups(0, NULL) is an operation +that can grant a user additional privileges. User namespaces were +allwoing that operation to unprivileged users and that had to be +fixed. + +Update unshare --map-root-user to disable the setgroups operation +before setting the gid_map. + +This is needed as after the security fix gid_map is restricted to +privileged users unless setgroups has been disabled. + +Signed-off-by: Eric W. Biederman ebied...@xmission.com +--- + include/pathnames.h | 1 + + sys-utils/unshare.c | 19 +++ + 2 files changed, 20 insertions(+) + +diff --git a/include/pathnames.h b/include/pathnames.h +index 0d21b98..cbc93b7 100644 +--- a/include/pathnames.h b/include/pathnames.h +@@ -93,6 +93,7 @@ + + #define _PATH_PROC_UIDMAP /proc/self/uid_map + #define _PATH_PROC_GIDMAP /proc/self/gid_map ++#define _PATH_PROC_SETGROUPS/proc/self/setgroups + + #define _PATH_PROC_ATTR_CURRENT /proc/self/attr/current + #define _PATH_PROC_ATTR_EXEC/proc/self/attr/exec +diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c +index fccdba2..9fdce93 100644 +--- a/sys-utils/unshare.c b/sys-utils/unshare.c +@@ -39,6 +39,24 @@ + #include pathnames.h + #include all-io.h + ++static void disable_setgroups(void) ++{ ++const char *file = _PATH_PROC_SETGROUPS; ++const char *deny = deny; ++int fd; ++ ++fd = open(file, O_WRONLY); ++if (fd 0) { ++if (errno == ENOENT) ++return; ++ err(EXIT_FAILURE, _(cannot open %s), file); ++} ++ ++if (write_all(fd, deny, strlen(deny))) ++err(EXIT_FAILURE, _(write failed %s), file); ++close(fd); ++} ++ + static void map_id(const char *file, uint32_t from, uint32_t to) + { + char *buf; +@@ -181,6 +199,7 @@ int main(int argc, char *argv[]) + } + + if (maproot) { ++disable_setgroups(); + map_id(_PATH_PROC_UIDMAP, 0, real_euid); + map_id(_PATH_PROC_GIDMAP, 0, real_egid); + } -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
On Sat, Mar 28, 2015 at 07:41:40PM +0100, Niels Thykier wrote: On 2015-03-26 07:54, Kirill Smelkov wrote: [...] Hi Niels. Thanks for replying and yes, I do need some kind of sponsorship/help with upload as I do not have upload rights (I'm not a Debian developer nor Debian member - currently just a person from outside). I would be glad if you, or someone else, sponsor me with this upload, and this way I'll also start to slowly becoming a bit more involved with Debian which I was thinking about for a long time, but had no occasion to start. Thanks again, Kirill Hi Kirill, Ok, you probably want to file an RFS bug against sponsorship-requests[1] (and maybe also ask on #debian-mentors if you use IRC) if you have not already done so. Hi Niels, Thanks for suggesting this. I just did: https://bugs.debian.org/781455 https://mentors.debian.net/package/util-linux Hope it is ok, and thanks beforehand for probably reviewing/sponsoring it, Kirill -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
On 2015-03-26 07:54, Kirill Smelkov wrote: [...] Hi Niels. Thanks for replying and yes, I do need some kind of sponsorship/help with upload as I do not have upload rights (I'm not a Debian developer nor Debian member - currently just a person from outside). I would be glad if you, or someone else, sponsor me with this upload, and this way I'll also start to slowly becoming a bit more involved with Debian which I was thinking about for a long time, but had no occasion to start. Thanks again, Kirill Hi Kirill, Ok, you probably want to file an RFS bug against sponsorship-requests[1] (and maybe also ask on #debian-mentors if you use IRC) if you have not already done so. Thanks, ~Niels [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=sponsorship-requests;dist=unstable -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
On Wed, Mar 25, 2015 at 09:13:08PM +0100, Niels Thykier wrote: Control: severity -1 normal On 2015-03-25 14:58, Kirill Smelkov wrote: Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock, confirmed, moreinfo Hello up there, Recently I've discovered that `unshare -r`, though it used to work in 2014, stopped working for Jessie: https://bugs.debian.org/780841 The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 and pre-approved by RT member Niels Thykier on debian-release@l.d.o: https://lists.debian.org/debian-release/2015/03/msg00661.html Niels asked to file an unblock request with full intended debdiff, which I do here. It is an NMU, because there is no reply from Andreas for several days. Hope it is ok. Thanks beforehand, Kirill [...] Hi, Thanks for filing the bug. You mention that this is an NMU, but I do not see it being uploaded? Do you need someone to sponsor the upload? Hi Niels. Thanks for replying and yes, I do need some kind of sponsorship/help with upload as I do not have upload rights (I'm not a Debian developer nor Debian member - currently just a person from outside). I would be glad if you, or someone else, sponsor me with this upload, and this way I'll also start to slowly becoming a bit more involved with Debian which I was thinking about for a long time, but had no occasion to start. Thanks again, Kirill -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock, confirmed, moreinfo Hello up there, Recently I've discovered that `unshare -r`, though it used to work in 2014, stopped working for Jessie: https://bugs.debian.org/780841 The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 and pre-approved by RT member Niels Thykier on debian-release@l.d.o: https://lists.debian.org/debian-release/2015/03/msg00661.html Niels asked to file an unblock request with full intended debdiff, which I do here. It is an NMU, because there is no reply from Andreas for several days. Hope it is ok. Thanks beforehand, Kirill diff --git a/debian/changelog b/debian/changelog index 7850238..0d80c1b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +util-linux (2.25.2-5.1) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841) + + -- Kirill Smelkov k...@nexedi.com Wed, 25 Mar 2015 16:23:34 +0300 + util-linux (2.25.2-5) unstable; urgency=medium * Revert Trigger update of initramfs on upgrades (Closes: #773354) diff --git a/debian/patches/series b/debian/patches/series index 6428b26..577ad52 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -17,3 +17,4 @@ Update-Japanese-translation.patch Update-Russian-translation.patch Trivial-unfuzzy.patch libblkid-care-about-unsafe-chars-in-cache.patch +unshare-Fix-map-root-user-to-work-on-new-kernels.patch diff --git a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch new file mode 100644 index 000..9a469c1 --- /dev/null +++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch @@ -0,0 +1,71 @@ +From: Eric W. Biederman ebied...@xmission.com +Date: Wed, 17 Dec 2014 17:06:03 -0600 +Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels +Origin: https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119 + +In rare cases droping groups with setgroups(0, NULL) is an operation +that can grant a user additional privileges. User namespaces were +allwoing that operation to unprivileged users and that had to be +fixed. + +Update unshare --map-root-user to disable the setgroups operation +before setting the gid_map. + +This is needed as after the security fix gid_map is restricted to +privileged users unless setgroups has been disabled. + +Signed-off-by: Eric W. Biederman ebied...@xmission.com +--- + include/pathnames.h | 1 + + sys-utils/unshare.c | 19 +++ + 2 files changed, 20 insertions(+) + +diff --git a/include/pathnames.h b/include/pathnames.h +index 0d21b98..cbc93b7 100644 +--- a/include/pathnames.h b/include/pathnames.h +@@ -93,6 +93,7 @@ + + #define _PATH_PROC_UIDMAP /proc/self/uid_map + #define _PATH_PROC_GIDMAP /proc/self/gid_map ++#define _PATH_PROC_SETGROUPS /proc/self/setgroups + + #define _PATH_PROC_ATTR_CURRENT /proc/self/attr/current + #define _PATH_PROC_ATTR_EXEC /proc/self/attr/exec +diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c +index fccdba2..9fdce93 100644 +--- a/sys-utils/unshare.c b/sys-utils/unshare.c +@@ -39,6 +39,24 @@ + #include pathnames.h + #include all-io.h + ++static void disable_setgroups(void) ++{ ++ const char *file = _PATH_PROC_SETGROUPS; ++ const char *deny = deny; ++ int fd; ++ ++ fd = open(file, O_WRONLY); ++ if (fd 0) { ++ if (errno == ENOENT) ++ return; ++ err(EXIT_FAILURE, _(cannot open %s), file); ++ } ++ ++ if (write_all(fd, deny, strlen(deny))) ++ err(EXIT_FAILURE, _(write failed %s), file); ++ close(fd); ++} ++ + static void map_id(const char *file, uint32_t from, uint32_t to) + { + char *buf; +@@ -181,6 +199,7 @@ int main(int argc, char *argv[]) + } + + if (maproot) { ++ disable_setgroups(); + map_id(_PATH_PROC_UIDMAP, 0, real_euid); + map_id(_PATH_PROC_GIDMAP, 0, real_egid); + } -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#781163: unblock (pre-approved): util-linux/2.25.2-5.1
Control: severity -1 normal On 2015-03-25 14:58, Kirill Smelkov wrote: Package: release.debian.org Severity: important User: release.debian@packages.debian.org Usertags: unblock, confirmed, moreinfo Hello up there, Recently I've discovered that `unshare -r`, though it used to work in 2014, stopped working for Jessie: https://bugs.debian.org/780841 The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 and pre-approved by RT member Niels Thykier on debian-release@l.d.o: https://lists.debian.org/debian-release/2015/03/msg00661.html Niels asked to file an unblock request with full intended debdiff, which I do here. It is an NMU, because there is no reply from Andreas for several days. Hope it is ok. Thanks beforehand, Kirill [...] Hi, Thanks for filing the bug. You mention that this is an NMU, but I do not see it being uploaded? Do you need someone to sponsor the upload? Thanks, ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org