Control: tags -1 d-i On 2015-03-25 14:58, Kirill Smelkov wrote: > Package: release.debian.org > Severity: important > User: release.debian....@packages.debian.org > Usertags: unblock, confirmed, moreinfo > > Hello up there, > > Recently I've discovered that `unshare -r`, though it used to work in > 2014, stopped working for Jessie: > > https://bugs.debian.org/780841 > > The fix was pre-ack'ed by util-linux maintainer (Andreas Henriksson) > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780841#10 > > and pre-approved by RT member Niels Thykier on debian-release@l.d.o: > > https://lists.debian.org/debian-release/2015/03/msg00661.html > > > Niels asked to file an unblock request with full intended debdiff, which > I do here. It is an NMU, because there is no reply from Andreas for > several days. Hope it is ok. > > > Thanks beforehand, > Kirill >
Hi, I have unblocked this now and am CC'ing KiBi for a d-i ack. I am also quoting in full for his convenience. Thanks, ~Niels > > diff --git a/debian/changelog b/debian/changelog > index 7850238..0d80c1b 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +util-linux (2.25.2-5.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Cherry-pick `unshare -r` fix from upstream. (Closes: #780841) > + > + -- Kirill Smelkov <k...@nexedi.com> Wed, 25 Mar 2015 16:23:34 +0300 > + > util-linux (2.25.2-5) unstable; urgency=medium > > * Revert "Trigger update of initramfs on upgrades" (Closes: #773354) > diff --git a/debian/patches/series b/debian/patches/series > index 6428b26..577ad52 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -17,3 +17,4 @@ Update-Japanese-translation.patch > Update-Russian-translation.patch > Trivial-unfuzzy.patch > libblkid-care-about-unsafe-chars-in-cache.patch > +unshare-Fix-map-root-user-to-work-on-new-kernels.patch > diff --git > a/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch > b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch > new file mode 100644 > index 0000000..9a469c1 > --- /dev/null > +++ b/debian/patches/unshare-Fix-map-root-user-to-work-on-new-kernels.patch > @@ -0,0 +1,71 @@ > +From: "Eric W. Biederman" <ebied...@xmission.com> > +Date: Wed, 17 Dec 2014 17:06:03 -0600 > +Subject: [PATCH] unshare: Fix --map-root-user to work on new kernels > +Origin: > https://git.kernel.org/cgit/utils/util-linux/util-linux.git/commit?id=0bf159413bdb9e324864a422b7aecb081e739119 > + > +In rare cases droping groups with setgroups(0, NULL) is an operation > +that can grant a user additional privileges. User namespaces were > +allwoing that operation to unprivileged users and that had to be > +fixed. > + > +Update unshare --map-root-user to disable the setgroups operation > +before setting the gid_map. > + > +This is needed as after the security fix gid_map is restricted to > +privileged users unless setgroups has been disabled. > + > +Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> > +--- > + include/pathnames.h | 1 + > + sys-utils/unshare.c | 19 +++++++++++++++++++ > + 2 files changed, 20 insertions(+) > + > +diff --git a/include/pathnames.h b/include/pathnames.h > +index 0d21b98..cbc93b7 100644 > +--- a/include/pathnames.h > ++++ b/include/pathnames.h > +@@ -93,6 +93,7 @@ > + > + #define _PATH_PROC_UIDMAP "/proc/self/uid_map" > + #define _PATH_PROC_GIDMAP "/proc/self/gid_map" > ++#define _PATH_PROC_SETGROUPS "/proc/self/setgroups" > + > + #define _PATH_PROC_ATTR_CURRENT "/proc/self/attr/current" > + #define _PATH_PROC_ATTR_EXEC "/proc/self/attr/exec" > +diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c > +index fccdba2..9fdce93 100644 > +--- a/sys-utils/unshare.c > ++++ b/sys-utils/unshare.c > +@@ -39,6 +39,24 @@ > + #include "pathnames.h" > + #include "all-io.h" > + > ++static void disable_setgroups(void) > ++{ > ++ const char *file = _PATH_PROC_SETGROUPS; > ++ const char *deny = "deny"; > ++ int fd; > ++ > ++ fd = open(file, O_WRONLY); > ++ if (fd < 0) { > ++ if (errno == ENOENT) > ++ return; > ++ err(EXIT_FAILURE, _("cannot open %s"), file); > ++ } > ++ > ++ if (write_all(fd, deny, strlen(deny))) > ++ err(EXIT_FAILURE, _("write failed %s"), file); > ++ close(fd); > ++} > ++ > + static void map_id(const char *file, uint32_t from, uint32_t to) > + { > + char *buf; > +@@ -181,6 +199,7 @@ int main(int argc, char *argv[]) > + } > + > + if (maproot) { > ++ disable_setgroups(); > + map_id(_PATH_PROC_UIDMAP, 0, real_euid); > + map_id(_PATH_PROC_GIDMAP, 0, real_egid); > + } > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
