Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

syscall: syscall.CLONE_NEWUSER causes invalid arg for every executable #48895

Closed
cdoern opened this issue Oct 9, 2021 · 1 comment
Closed

Comments

@cdoern
Copy link

cdoern commented Oct 9, 2021

What version of Go are you using (go version)?

$ go version go1.16.8 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

linux/amd64

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/charliedoern/.cache/go-build"
GOENV="/home/charliedoern/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/charliedoern/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/charliedoern/go"

What did you do?

I made a golang progam expecting to start a new process and execute a command as root using sudo. When mapping UID/GIDs whenevr I specify syscall.CLONE_NEWUSER in the SysProcAttr the program errors out and informs me fork/exec /usr/bin/sudo: invalid argument but the command outputs the expected result, but does not use sudo. When run without syscall.CLONE_NEWUSER the program hangs indefinitely.

here is my code snipped (run as user not as root)

if rootless.IsRootless() && scpOpts.Root {
		syscall.Setuid(0)
		syscall.Setgid(0)
		fmt.Println(syscall.Getuid(), syscall.Getgid())
		cred := &syscall.Credential{0, 0, []uint32{}, false}
		sys := &syscall.SysProcAttr{Noctty: false, Credential: cred, Setpgid: true, GidMappingsEnableSetgroups: true, Cloneflags: syscall.CLONE_NEWNS |
			syscall.CLONE_NEWUTS |
			syscall.CLONE_NEWIPC |
			syscall.CLONE_NEWPID |
			syscall.CLONE_NEWNET |
			syscall.CLONE_NEWUSER,
			UidMappings: []syscall.SysProcIDMap{
				{
					ContainerID: 0,
					HostID:      os.Getuid(),
					Size:        1,
				},
				{
					ContainerID: 1,
					HostID:      0,
					Size:        1,
				},
			},
			GidMappings: []syscall.SysProcIDMap{
				{
					ContainerID: 0,
					HostID:      os.Getgid(),
					Size:        1,
				},
				{
					ContainerID: 1,
					HostID:      0,
					Size:        1,
				},
			},
		}
		cmd := exec.Command("/usr/bin/sudo", "podman", "image", "load", "--input="+scpOpts.Save.Output)
		fmt.Println(cmd.Args)
		cmd.SysProcAttr = sys
		cmd.Env = syscall.Environ()
		outp, err := cmd.Output()
		fmt.Println(string(outp), err)

	}

What did you expect to see?

no errors, and the comand intended executed using sudo.

What did you see instead?

error fork/exec /usr/bin/sudo: invalid argument

@cdoern cdoern changed the title syscall.CLONE_NEWUSER causes invalid arg for every executable syscall/execCommand: syscall.CLONE_NEWUSER causes invalid arg for every executable Oct 10, 2021
@toothrot toothrot changed the title syscall/execCommand: syscall.CLONE_NEWUSER causes invalid arg for every executable syscall: syscall.CLONE_NEWUSER causes invalid arg for every executable Oct 12, 2021
@toothrot
Copy link
Contributor

I don't believe this is a bug in Go or the standard library. A better place to ask this kind of question is golang-nuts. See https://golang.org/wiki/Questions.

Please let me know if I am mistaken.

@golang golang locked and limited conversation to collaborators Oct 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants