New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
user units: implicitly enable PrivateUsers= when sandboxing options are set #25233
Conversation
22ec686
to
ddc1571
Compare
Would a new |
ddc1571
to
053c704
Compare
It turns out it cannot be done from the user manager, as it requires privileges to set up an id map of more than the current uid |
053c704
to
1b776e7
Compare
@brauner and @poettering had the idea to add a service to manage uid/gid ranges that would hand out user namespaces with a uid/gid range and idmapping configured to tools and services. Rootless nspawn would make use of this. I wonder if we could use the same service here to get an identity mapping without needing privileges? Not sure about the security implications though. |
If it worked it could be retrofitted to use it yes - but it can be done later |
mmh I tried this, but when the receiving end of the namespace FD is not the same uid, I get -EPERM back from |
Just summarizing what I explained elsewhere just now. To make this work you should have the |
That's why I have time to do the cool stuff! Beer-fueled hacking go brrrr |
1b776e7
to
68207d0
Compare
ae85848
to
8e90fbc
Compare
8e90fbc
to
d2d6b45
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should merge this.
The only open issue is how to handle ProtectKernelModules= and other settings that are partially implemented via seccomp. Lennart's approach gives slightly better backwards-compat, and Luca's approach (current patch) gives slightly more reasonable behaviour for users. I think we should be fine with the latter because of the preparatory work that was done: queries in distros and on the mailing list. The expectation is that that units that would be affected by this are very rare or nonexistent. Of course we will need to announce this in NEWS, etc, but I think we can get away with this. Let's merge this now, while there is still some time before the next release, to give it some time to "bake".
Needs a rebase and typo fixes.
d2d6b45
to
75c9ba3
Compare
CentOS CI (Arch Linux) fails deep in TEST-75-RESOLVED. But I don't think this is related, the unit is up and running when the failure happens. |
…re set Enabling these options when not running as root requires a user namespace, so implicitly enable PrivateUsers=. This has a side effect as it changes which users are visible to the unit. However until now these options did not work at all for user units, and in practice just a handful of user units in Fedora, Debian and Ubuntu mistakenly used them (and they have been all fixed since). This fixes the long-standing confusing issue that the user and system units take the same options but the behaviour is wildly (and sometimes silently) different depending on which is which, with user units requiring manually specifiying PrivateUsers= in order for sandboxing options to actually work and not be silently ignored.
75c9ba3
to
99ea34b
Compare
jammy-ppc64el: TEST-29-PORTABLE: FAIL (1809 s) |
Enabling these options when not running as root requires a user namespace, so implicitly enable PrivateUsers=.