Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create escape hatch for supplementary group sandboxing woes #8307

Closed
wants to merge 2 commits into from
Closed

Create escape hatch for supplementary group sandboxing woes #8307

wants to merge 2 commits into from

Conversation

Ericson2314
Copy link
Member

Motivation

There is no obvious good solution for this that has occurred to anyone.

Provide a way to hack around trying to drop supplementary groups when root.

Context

Currently,

unshare --map-root-user nix-build ...

will fail when the outside user is not root, because one doesn't actually have the permission to call setgroups. This provides a work-around to skip that step.

Checklist for maintainers

Maintainers: tick if completed or explain if not relevant

  • agreed on idea
  • agreed on implementation strategy
  • tests, as appropriate
    • functional tests - tests/**.sh
    • unit tests - src/*/tests
    • integration tests - tests/nixos/*
  • documentation in the manual
  • documentation in the internal API docs
  • code and comments are self-explanatory
  • commit message explains why the change was made
  • new feature or incompatible change: updated release notes

Priorities

Add 👍 to pull requests you find important.

@Ericson2314
Create escape hatch for supplementary group sandboxing woes
6d1aa52 
There is no obvious good solution for this that has occured to anyone.
@symphorien
Copy link
Member

Alternatively, it's possible to detect that the call will fail by reading /proc/pid/setgroups: it contains deny inside unshare -r

@Ericson2314 Ericson2314 deleted the best-effort-supplementary-groups branch May 15, 2023 16:38
@Ericson2314 Ericson2314 restored the best-effort-supplementary-groups branch May 15, 2023 16:38
@Ericson2314 Ericson2314 reopened this May 15, 2023
@Ericson2314 Ericson2314 deleted the best-effort-supplementary-groups branch May 15, 2023 16:38
@Ericson2314
Copy link
Member Author

Reopened as #8342 so @benradf can also push.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@symphorien symphorien symphorien left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Ericson2314 @symphorien