New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syscall: CLONE_NEWUSER from unprivileged user #10626
Comments
Are you sure your uid/gid are both 1000? $ cat issue10626.go import ( func main() { iduid=0(root) gid=0(root) groups=0(root),65534(nobody) |
@minux Yeah, I'm changed code as you suggested(Getuid/Getgid), result is same. What kernel do you use? |
3.17.4-gentoo
|
Actually, since 3.19 kernel code from |
I am seeing the same issue as @LK4D4 (on 3.19.4) and I am thinking that this might be probably related to the setgroups code torvalds/linux@9cc4651 |
@LK4D4 yes, at minimum the go code has to add to check for the presence of setgroups and write deny into it. |
@mrunalp Actually I tried to insert |
Also I tried to reimplement this with |
It would be nice to fix this problem, but I don't understand what is causing it. Can somebody running kernel 3.19 or later figure this out? For example, if somebody can demonstrate a working C program, we may be able to modify the syscall package in the same way. |
@ianlancetaylor There is working C program in http://man7.org/linux/man-pages/man7/user_namespaces.7.html |
Thanks. It seems clear from the man page that we must write "deny" to /proc/PID/setgroups before writing to /proc/PID/gid_map. That seems consistent with the problem in the initial issue report. But I see your earlier comment that when you tried that, it failed. Can you share the patch that you tried? |
@ianlancetaylor Yup, in 30 minutes. |
@ianlancetaylor Hmm, sorry for confusion. It works for me now, maybe I did something wrong first time or maybe I updated kernel(now I use 4.0.4 and there was a lot of changes in 4.0.2). |
CL https://golang.org/cl/10670 mentions this issue. |
The fix for this seems to have broken the syscall test on my machine.
|
Interesting. It fails on my system too. The test successfully opens /proc/PID/setgroups and writes "deny" to it. It then successfully opens /proc/PID/gid_map. However, the attempt to write to gid_map fails with EPERM. |
Sent http://golang.org/cl/11055 . |
Hi @LK4D4 |
Hi @LK4D4 For your above comments, Linux 3.19.0-30-generic Did you get that work in your env ? |
@HackToday yeah, it should work with latest go versions. |
@LK4D4 I tried the c program, it not worked, That was the guide issue, as said need to add And besides, I noticed, even I added this, the example in it would not have this result: The result is as this #cat /proc/$$/status | egrep '^[UG]id' Do you know why it is not mapped ? |
It should be possible to use
CLONE_NEWUSER
from unprivileged user, but somehow it isn't. Code:On
./unshare /bin/zsh
returnsStrace shows:
Code similar to
forkAndExecInChild
fromsyscall/exec_linux.go
is inman user_namespaces
: https://gist.github.com/31920b19eb18cf4b507dI compiled it with
clang clone.c -o clone
and run as./clone -Uz /bin/zsh
. It works from unprivileged user and mapping uids/gids inside namespace.It is pretty cool feature, because it allows unprivileged users to create own namespaces.
ping @mrunalp as author of UidMappings.
For reproducing I used go from tag
go1.4.2
on x86_64 Gentoo linux with4.0.0
kernel.The text was updated successfully, but these errors were encountered: