From patchwork Mon May 5 08:59:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 42322 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 055C627BC49; Mon, 5 May 2025 10:01:23 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED,URIBL_SBL_A autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BBAA827BC4A for ; Mon, 5 May 2025 10:01:20 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uBrhE-0000sJ-Vu; Mon, 05 May 2025 05:01:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBrh8-0000rm-Sb for guix-patches@gnu.org; Mon, 05 May 2025 05:01:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uBrh8-00059u-Ib for guix-patches@gnu.org; Mon, 05 May 2025 05:01:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=PuhvjVuCgZBnFKg+jFL1gqNjlaO4qtcGPbiL8Xes71U=; b=XJCT2HIN1+JUr/ryuxZlKKwGpwVjtDcJZqCK9UdPLBGPnnCNniQGYIfSxaYPX1u61d9J/ZniG/ai5FF77iLy3uoH1Q/n3IB4nEtVbUTLe7JauoXA9z2iQsIcjZxRA8s+AvB4SqLSTpkQOOqZO6drjFYlKEjC2JvVJlxb66xUgQ57umP9Dqs8afY0o7fN8vZ7QM6UQreX16oE3Ka6//Bl527iiicUOor25TvpXMWJUA04D9GS90svY0Qr+LPKcwiudHop8xnWjyCEU7u3j517y09/3HlGSwKTYjOJYjYpbRqbD59uE4lWwfhb//P9byLjgdMQYzUhsc++bbWwg7Hbpw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uBrh8-0003U1-CG for guix-patches@gnu.org; Mon, 05 May 2025 05:01:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78256] [PATCH] daemon: Use the actual overflow UID and GID in /etc/passwd. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 05 May 2025 09:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 78256 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78256@debbugs.gnu.org Cc: keinflue , Ludovic =?utf-8?q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.174643560312816 (code B ref -1); Mon, 05 May 2025 09:01:02 +0000 Received: (at submit) by debbugs.gnu.org; 5 May 2025 09:00:03 +0000 Received: from localhost ([127.0.0.1]:38584 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uBrgA-0003KE-0X for submit@debbugs.gnu.org; Mon, 05 May 2025 05:00:03 -0400 Received: from lists.gnu.org ([2001:470:142::17]:37028) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uBrg6-0003JU-Oe for submit@debbugs.gnu.org; Mon, 05 May 2025 04:59:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBrfx-0000h2-2n for guix-patches@gnu.org; Mon, 05 May 2025 04:59:49 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBrfv-0004q9-Nw; Mon, 05 May 2025 04:59:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=PuhvjVuCgZBnFKg+jFL1gqNjlaO4qtcGPbiL8Xes71U=; b=dumpjpGoaaGpXi fvgFMO3nx5dpBbn1eGCXbX3feuWnOFI3NvAcO7KAwsJLgmdBAl46BycjSH19VKEJ+pncI2teT1GjS EMV0txmpdiLyGNGMvM+mkR1Lk9t1qYGz1MokwRv/qpBiQIX29QkA9AW6fJevd5nhSUjNRVWY3cHXF LSIVC0ea0Wm8siJ3x4iqww5RIDyzpyHF6/MKIxurm7VLTvapuieoMwL3PjcaDfXIbkxoHc5mx7fbY sRq8pjYbBR3/r8tFdoLJ4I0AL9sR81ARl3di6h/Yj+RLkQDRtr3f9eE0sY61G6jO0l9Pc9tXtqHve kw8pTqlbBxSAB9q0uJQA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Mon, 5 May 2025 10:59:34 +0200 Message-ID: <30197546d98c6e9527ce2b92a47c1457a1ced673.1746392495.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Partly fixes . * nix/libstore/build.cc (fileContent, overflowUID, overflowGID): New functions. (DerivationGoal::startBuilder): Use them to populate /etc/passwd when ‘buildUser.enabled()’ is false. Reported-by: keinflue Change-Id: I695c697629c739d096933274c1c8a70d08468d4a --- nix/libstore/build.cc | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) base-commit: c2c4bc8758616ebc0148e1bce9311a80658ace88 diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index a1f39d9a8b..773dcf1a01 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -13,6 +13,7 @@ #include #include #include +#include #include #include @@ -1646,6 +1647,36 @@ static void initializeUserNamespace(pid_t child, (format("%d %d 1") % guestGID % hostGID).str()); } +/* Return the content of FILE as an integer, or DFLT if FILE could not be + opened or parsed. */ +static unsigned int fileContent(const std::string &file, int dflt) +{ + AutoCloseFD fd; + fd = open(file.c_str(), O_RDONLY|O_CLOEXEC); + if (fd == -1) + return dflt; + else { + char buf[64]; + ssize_t count = read (fd, buf, sizeof buf); + if (count <= 0) return dflt; + + unsigned int result = dflt; + std::string str = buf; + try { result = std::stoi(str); } catch (...) {}; + return result; + } +} + +static uid_t overflowUID() +{ + return fileContent("/proc/sys/kernel/overflowuid", 65534); +} + +static gid_t overflowGID() +{ + return fileContent("/proc/sys/kernel/overflowgid", 65534); +} + void DerivationGoal::startBuilder() { auto f = format( @@ -1846,9 +1877,11 @@ void DerivationGoal::startBuilder() writeFile(chrootRootDir + "/etc/passwd", (format( "nixbld:x:%1%:%2%:Nix build user:/:/noshell\n" - "nobody:x:65534:65534:Nobody:/:/noshell\n") + "nobody:x:%3%:%4%:Nobody:/:/noshell\n") % (buildUser.enabled() ? buildUser.getUID() : guestUID) - % (buildUser.enabled() ? buildUser.getGID() : guestGID)).str()); + % (buildUser.enabled() ? buildUser.getGID() : guestGID) + % (buildUser.enabled() ? 65534 : overflowUID()) + % (buildUser.enabled() ? 65534 : overflowGID())).str()); /* Declare the build user's group so that programs get a consistent view of the system (e.g., "id -gn"). */