Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check filecaps on newuidmap and newgidmap on failure #1188

Merged
merged 1 commit into from Apr 6, 2022
Merged

Check filecaps on newuidmap and newgidmap on failure #1188

merged 1 commit into from Apr 6, 2022

Conversation

rhatdan
Copy link
Member

@rhatdan rhatdan commented Apr 4, 2022

A fairly common failure is newuidmap and newgidmap not being setuid and
setgid. If these commands fail, check the permissions on the binaries in
order to give the user better information on why they failed.

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

@rhatdan
Copy link
Member Author

rhatdan commented Apr 4, 2022

Fixes: containers/podman#13751

@rhatdan rhatdan mentioned this pull request Apr 4, 2022
Closed
Luap99
Luap99 reviewed Apr 5, 2022
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Podman doesn't use this code AFAIK.
You need to change https://github.com/containers/podman/blob/839744af56ee6a3e54c63eb8da495974666dfdeb/pkg/rootless/rootless_linux.go#L115 for podman.

pkg/unshare/unshare_linux.go Outdated Show resolved Hide resolved
pkg/unshare/unshare_linux.go Outdated
return cap.Get(capability.EFFECTIVE, capability.CAP_SETUID), nil
}

func isSetGid(path string) (bool, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you combine isSetUid() and isSetGid() into one function, right now the logic is duplicated, i.e.

modeSetid := os.ModeSetuid
capSetid := capability.CAP_SETGID
if gid {
    modeSetid := os.ModeSetuid
    capSetid := capability.CAP_SETGID
}

nalind
nalind reviewed Apr 5, 2022
View reviewed changes
pkg/unshare/unshare_linux.go Outdated Show resolved Hide resolved
nalind
nalind reviewed Apr 5, 2022
View reviewed changes
pkg/unshare/unshare_linux.go Outdated
if mode&modeid == modeid {
return true, nil
}
cap, err := capability.NewFile(path)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs for github.com/syndtr/gocapability/capability say NewFile() is deprecated, and to use NewFile2() and then cap.Load() instead.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had that on a previous version.

nalind
nalind reviewed Apr 5, 2022
View reviewed changes
pkg/unshare/unshare_linux.go Outdated
@@ -76,6 +78,26 @@ func getRootlessGID() int {
return os.Getegid()
}

func isSetID(path string, modeid fs.FileMode, capid capability.Cap) (bool, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's okay to call modeid a os.FileMode.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now you just want to aggravate me....

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trying to get you past the linter, which seems to not understand that package name.

@rhatdan
Check filecaps on newuidmap and newgidmap on failure
d0ed72a 
A fairly common failure is newuidmap and newgidmap not being setuid and
setgid. If these commands fail, check the permissions on the binaries in
order to give the user better information on why they failed.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@nalind
Copy link
Member

nalind commented Apr 6, 2022

LGTM

giuseppe
giuseppe approved these changes Apr 6, 2022
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rhatdan rhatdan merged commit 0daec8c into containers:main Apr 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nalind nalind nalind left review comments

@Luap99 Luap99 Luap99 left review comments

@giuseppe giuseppe giuseppe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@rhatdan @nalind @giuseppe @Luap99