Control: tag -1 + patch On Thu, 25 Sep 2014 19:46:43 -0400 Matthew Gabeler-Lee <chee...@fastcat.org> wrote: > Package: switchsh > Version: 0~20070801-3.1 > Severity: important > Tags: upstream > > The unshare() done by switchsh doesn't seem to work properly, at least with > systemd "in effect". However, on a system with sysvinit, it works fine. > > The result is that, on the systemd system, the bind mount done by switchsh > takes effect globally, and is never undone, except if the adminstrator > notices it left around and fixes it. > > And since it's never undone automatically, you can end up with a LOT of bind > mounts created by it.
This is #739593. Here is a patch proposal based on the explanations there. Thanks, _g.
diff -u switchsh-0~20070801/debian/changelog switchsh-0~20070801/debian/changelog --- switchsh-0~20070801/debian/changelog +++ switchsh-0~20070801/debian/changelog @@ -1,3 +1,11 @@ +switchsh (0~20070801-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * Remount / with MS_SLAVE|MS_REC inside the CLONE_NEWNS namespace so + that the bind mount doesn't affect the entire system (closes: #762892) + + -- Gilles Filippini <p...@debian.org> Wed, 25 May 2016 18:20:23 +0200 + switchsh (0~20070801-3.1) unstable; urgency=low * Non-maintainer upload. diff -u switchsh-0~20070801/debian/patches/series switchsh-0~20070801/debian/patches/series --- switchsh-0~20070801/debian/patches/series +++ switchsh-0~20070801/debian/patches/series @@ -2,0 +3 @@ +remount_rootfs_rslave.patch only in patch2: unchanged: --- switchsh-0~20070801.orig/debian/patches/remount_rootfs_rslave.patch +++ switchsh-0~20070801/debian/patches/remount_rootfs_rslave.patch @@ -0,0 +1,21 @@ +Description: When / is mounted as shared, unshare(CLONE_NEWNS) doesn't + prevent the bind mount to be system wide. Worse: it isn't unmounted + at exit. + Thus this patch wich remount / with --make-rslave. + See #739593 for more details. +Author: Gilles Filippini <p...@debian.org> +Bug-Debian: https://bugs.debian.org/762892 +Index: switchsh-0~20070801/switchsh.c +=================================================================== +--- switchsh-0~20070801.orig/switchsh.c ++++ switchsh-0~20070801/switchsh.c +@@ -105,7 +105,8 @@ int main(int argc, char *argv[]) + } + #endif + +- if (mount("/bin/bash", "/bin/sh", NULL, MS_BIND, NULL) < 0) { ++ if ((mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) || ++ (mount("/bin/bash", "/bin/sh", NULL, MS_BIND, NULL) < 0)) { + if (errno == EPERM) + err_quit("This program must be setuid root!"); + err_sys("mount");
signature.asc
Description: OpenPGP digital signature
