[Kernel-packages] [Bug 1659087] Re: open(2) returns EOVERFLOW within tmpfs+userns
Thinking more about it, this might be due to the lack of CAP_DAC_OVERRIDE so I guess I need this too right? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1659087 Title: open(2) returns EOVERFLOW within tmpfs+userns Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: Confirmed Bug description: On Ubuntu 4.4.0-59.80-generic 4.4.35, open(2) returns EOVERFLOW when creating a file in tmpfs with user namespace enabled. This issue wasn't present in 4.4.0-47 and has probably been introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1634964 Step to reproduce: $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -t 2354 -m # touch /mnt/foo touch: cannot touch '/mnt/foo': Value too large for defined data type Note that we are not joining the user namespace when creating the file but we would expect `touch' to succeed and create the file with an inode set to INVALID_UID/GID (i.e. nobody:nogroup) within the mount namespace. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1659087] Re: open(2) returns EOVERFLOW within tmpfs+userns
Trying the fsuid/fsgid workaround, I came across another oddity: $ id -u 1000 $ id -g 1000 $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # chmod 555 /mnt # ls -ldn /mnt dr-xr-xr-x 2 0 0 40 Jan 26 14:15 /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -G 1000 -S 1000 -t 2354 -m $ ls -ldn /mnt dr-xr-xr-x 2 1000 1000 40 Jan 26 14:10 /mnt $ touch /mnt/foo touch: cannot touch '/mnt/foo': Permission denied Even though I'm supposed to be root in the context of the user namespace, I can't create the file because I'm lacking the write permission on the mount directory. In this case, setting the fsuid/fsgid is not sufficient, I have to join the user namespace if I want the permissions to be resolved correctly. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1659087 Title: open(2) returns EOVERFLOW within tmpfs+userns Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: Confirmed Bug description: On Ubuntu 4.4.0-59.80-generic 4.4.35, open(2) returns EOVERFLOW when creating a file in tmpfs with user namespace enabled. This issue wasn't present in 4.4.0-47 and has probably been introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1634964 Step to reproduce: $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -t 2354 -m # touch /mnt/foo touch: cannot touch '/mnt/foo': Value too large for defined data type Note that we are not joining the user namespace when creating the file but we would expect `touch' to succeed and create the file with an inode set to INVALID_UID/GID (i.e. nobody:nogroup) within the mount namespace. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1659087] Re: open(2) returns EOVERFLOW within tmpfs+userns
Glad you figured it out, I suspected this had something to do with the may_create/may_o_create code paths but couldn't wrap my head around it. Hopefully this will be addressed upstream in the near future. This change in behavior is surprising though, maybe this should be documented in user_namespaces(7). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1659087 Title: open(2) returns EOVERFLOW within tmpfs+userns Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: Confirmed Bug description: On Ubuntu 4.4.0-59.80-generic 4.4.35, open(2) returns EOVERFLOW when creating a file in tmpfs with user namespace enabled. This issue wasn't present in 4.4.0-47 and has probably been introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1634964 Step to reproduce: $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -t 2354 -m # touch /mnt/foo touch: cannot touch '/mnt/foo': Value too large for defined data type Note that we are not joining the user namespace when creating the file but we would expect `touch' to succeed and create the file with an inode set to INVALID_UID/GID (i.e. nobody:nogroup) within the mount namespace. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1659087] Re: open(2) returns EOVERFLOW within tmpfs+userns
I can't reproduce the issue on Fedora 4.9.5-200.fc25.x86_64 either. As you pointed out, setting the fsuid/fsgid to a known userns mapping does work. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1659087 Title: open(2) returns EOVERFLOW within tmpfs+userns Status in linux package in Ubuntu: Confirmed Status in linux source package in Xenial: Confirmed Bug description: On Ubuntu 4.4.0-59.80-generic 4.4.35, open(2) returns EOVERFLOW when creating a file in tmpfs with user namespace enabled. This issue wasn't present in 4.4.0-47 and has probably been introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1634964 Step to reproduce: $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -t 2354 -m # touch /mnt/foo touch: cannot touch '/mnt/foo': Value too large for defined data type Note that we are not joining the user namespace when creating the file but we would expect `touch' to succeed and create the file with an inode set to INVALID_UID/GID (i.e. nobody:nogroup) within the mount namespace. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1659087] Re: open(2) returns EOVERFLOW within tmpfs+userns
Interesting, I tried to reproduce with a Debian strech 4.8.0-2-amd64 (Debian 4.8.15-2) and 4.9.0-1-amd64 (Debian 4.9.2-2) and didn't hit the error. This seems to be specific to tmpfs though, touching the file anywhere else yields the nobody:nogroup mapping. Regarding my use-case, I'm creating the file in order to bind-mount on top of it. Container runtimes usually expose host files (e.g. char device) within containers similarly. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1659087 Title: open(2) returns EOVERFLOW within tmpfs+userns Status in linux package in Ubuntu: Confirmed Bug description: On Ubuntu 4.4.0-59.80-generic 4.4.35, open(2) returns EOVERFLOW when creating a file in tmpfs with user namespace enabled. This issue wasn't present in 4.4.0-47 and has probably been introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1634964 Step to reproduce: $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -t 2354 -m # touch /mnt/foo touch: cannot touch '/mnt/foo': Value too large for defined data type Note that we are not joining the user namespace when creating the file but we would expect `touch' to succeed and create the file with an inode set to INVALID_UID/GID (i.e. nobody:nogroup) within the mount namespace. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1659087] [NEW] open(2) returns EOVERFLOW within tmpfs+userns
Public bug reported: On Ubuntu 4.4.0-59.80-generic 4.4.35, open(2) returns EOVERFLOW when creating a file in tmpfs with user namespace enabled. This issue wasn't present in 4.4.0-47 and has probably been introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1634964 Step to reproduce: $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -t 2354 -m # touch /mnt/foo touch: cannot touch '/mnt/foo': Value too large for defined data type Note that we are not joining the user namespace when creating the file but we would expect `touch' to succeed and create the file with an inode set to INVALID_UID/GID (i.e. nobody:nogroup) within the mount namespace. ** Affects: linux (Ubuntu) Importance: Undecided Status: Confirmed ** Summary changed: - open(2) returns EOVERFLOW with tmpfs+userns + open(2) returns EOVERFLOW within tmpfs+userns -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1659087 Title: open(2) returns EOVERFLOW within tmpfs+userns Status in linux package in Ubuntu: Confirmed Bug description: On Ubuntu 4.4.0-59.80-generic 4.4.35, open(2) returns EOVERFLOW when creating a file in tmpfs with user namespace enabled. This issue wasn't present in 4.4.0-47 and has probably been introduced by https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1634964 Step to reproduce: $ unshare -r -U -m /bin/bash # mount -t tmpfs tmpfs /mnt # echo $$ 2354 In another terminal: $ sudo nsenter -t 2354 -m # touch /mnt/foo touch: cannot touch '/mnt/foo': Value too large for defined data type Note that we are not joining the user namespace when creating the file but we would expect `touch' to succeed and create the file with an inode set to INVALID_UID/GID (i.e. nobody:nogroup) within the mount namespace. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
