From patchwork Tue Nov 14 14:09:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 56461 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A2D2727BBE9; Tue, 14 Nov 2023 14:11:09 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D3E7727BBE2 for ; Tue, 14 Nov 2023 14:11:08 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r2u7h-0000Bb-Jc; Tue, 14 Nov 2023 09:10:37 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r2u7V-0008WQ-8J for guix-patches@gnu.org; Tue, 14 Nov 2023 09:10:26 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r2u7U-0002BB-TC; Tue, 14 Nov 2023 09:10:24 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1r2u86-0005dD-Va; Tue, 14 Nov 2023 09:11:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#67175] [PATCH 4/9] least-authority: Add support for changing UIDs/GIDs before exec. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, rekado@elephly.net, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 14 Nov 2023 14:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67175 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 67175@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Christopher Baines , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Ricardo Wurmus , Simon Tournier , Tobias Geerinckx-Rice Received: via spool by 67175-submit@debbugs.gnu.org id=B67175.169997104421544 (code B ref 67175); Tue, 14 Nov 2023 14:11:02 +0000 Received: (at 67175) by debbugs.gnu.org; 14 Nov 2023 14:10:44 +0000 Received: from localhost ([127.0.0.1]:60586 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r2u7m-0005az-9L for submit@debbugs.gnu.org; Tue, 14 Nov 2023 09:10:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60934) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r2u7i-0005aB-Sx for 67175@debbugs.gnu.org; Tue, 14 Nov 2023 09:10:39 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r2u6x-0001rf-4Y; Tue, 14 Nov 2023 09:09:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=c2yRPCiw/zizh9hGqgCexpBiw40UrhjUFBoU9GL8Q5I=; b=VV6K4gM5DoguvIMxbpmc a4J0PjJ0fDFsgIQkzRkhfi6oHbGKVG+r0jW4ZS2FHhXCHAjTP8ky+sTAU0BK0tOBnprXMgH5cc/4q Q2fQqURzwdgSrYn0FDYuqNee2dKL6GeN2lU2cjNMUvEkcWCDA4MFUQEabZw7SLgyY8Fcx/o85U6zJ Q0rYDvdigu2c3eFoWak9LFiJA3NXF8M68lhXprEyou+Vp4eF1igNAp5gBXrMNEAHRLbuFlpMNAhw5 /diVpPDsABtVh7BcbHG8X+wbufLLvZppNttamVDI9ZR6jyWPB95kEtWNIl+E6MVcnfu/ZaWo6OmGK hOeZsRBMML9tIw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Tue, 14 Nov 2023 15:09:13 +0100 Message-ID: <9044b132a3746d6874969615923f5c534ba00152.1699970930.git.ludo@gnu.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/least-authority.scm (least-authority-wrapper): Add #:user and #:group. [code]: Add calls to ‘setgid’ and ‘setuid’ when appropriate. Change-Id: I2aad8e5686b42b5c92fc306b114c5c60cb8bc551 --- guix/least-authority.scm | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/guix/least-authority.scm b/guix/least-authority.scm index bfd7275e7c..3465fe9a48 100644 --- a/guix/least-authority.scm +++ b/guix/least-authority.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2022 Ludovic Courtès +;;; Copyright © 2022-2023 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -41,6 +41,8 @@ (define %precious-variables (define* (least-authority-wrapper program #:key (name "pola-wrapper") + (user #f) + (group #f) (guest-uid 1000) (guest-gid 1000) (mappings '()) @@ -55,7 +57,11 @@ (define* (least-authority-wrapper program records indicating directories mirrored inside the execution environment of PROGRAM. DIRECTORY is the working directory of the wrapped process. Each environment listed in PRESERVED-ENVIRONMENT-VARIABLES -is preserved; other environment variables are erased." +is preserved; other environment variables are erased. + +When USER and GROUP are set and NAMESPACES does not include 'user, change UIDs +and GIDs to these prior to executing PROGRAM. This usually requires that the +resulting wrapper be executed as root so it can call setgid(2) and setuid(2)." (define code (with-imported-modules (source-module-closure '((gnu system file-systems) @@ -113,6 +119,10 @@ (define* (least-authority-wrapper program #$program signal) (exit (+ 128 signal)))))) + (define namespaces '#$namespaces) + (define host-group '#$group) + (define host-user '#$user) + ;; Note: 'call-with-container' creates a sub-process that this one ;; waits for. This might seem suboptimal but unshare(2) isn't ;; really applicable: the process would still run in the same PID @@ -123,6 +133,17 @@ (define* (least-authority-wrapper program (lambda () (chdir #$directory) (environ variables) + + (unless (memq 'user namespaces) + ;; This process lives in its parent user namespace, + ;; presumably as root; now is the time to setgid/setuid if + ;; asked for it (the 'clone' call would fail with EPERM if we + ;; changed UIDs/GIDs beforehand). + (when host-group + (setgid (group:gid (getgr host-group)))) + (when host-user + (setuid (passwd:uid (getpw host-user))))) + (apply execl #$program #$program (cdr (command-line)))) ;; Don't assume PROGRAM can behave as an init process.