Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syscall: TestEmptyCredGroupsDisableSetgroups fails #12412

Closed
kostya-sh opened this issue Aug 31, 2015 · 12 comments
Closed

syscall: TestEmptyCredGroupsDisableSetgroups fails #12412

kostya-sh opened this issue Aug 31, 2015 · 12 comments
Labels
FrozenDueToAge
Milestone
Go1.6

Comments

@kostya-sh
Copy link
Contributor

When building go tip (019297a) I am getting the following error:

--- FAIL: TestEmptyCredGroupsDisableSetgroups (0.00s)
    exec_linux_test.go:117: fork/exec /usr/bin/whoami: operation not permitted
FAIL
FAIL    syscall 0.053s

OS: Debian 8.1
Kernel: Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt11-1+deb8u3 (2015-08-04)
User groups: user cdrom floppy sudo audio dip video plugdev netdev
@davecheney
Copy link
Contributor

Confirmed, I'm seeing this failure on a linux/arm debian 8.1 host. http://build.golang.org/log/4598aa4c79dd80307dd9701414397c175e550e73

Anyone care to bisect ?

@davecheney davecheney added this to the Go1.6 milestone Aug 31, 2015
@kostya-sh
Copy link
Contributor Author

I am fairly sure that this first appeared in 8261c88 where TestEmptyCredGroupsDisableSetgroups test was added.

@ianlancetaylor
Copy link
Contributor

This implies that execve ("/usr/bin/whoami") is returning EACCESS. Why would that happen? Can you run /usr/bin/whoami from a shell? Is there any kind of security wrapper around the Go build?

@kostya-sh
Copy link
Contributor Author

/usr/bin/whoami from a shell works. It is also executed successfully from the other tests in the same file.

I think the test fails because of cmd.SysProcAttr.Credential = &syscall.Credential{} (

go/src/syscall/exec_linux_test.go

Line 115 in 8261c88

cmd.SysProcAttr.Credential = &syscall.Credential{}
)

@kostya-sh
Copy link
Contributor Author

Possibly useful information about OS and kernel versions:

$ cat /etc/debian_version
8.1

$ cat /proc/version
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt11-1+deb8u3 (2015-08-04)

@ianlancetaylor
Copy link
Contributor

CC @LK4D4

@LK4D4
Copy link
Contributor

LK4D4 commented Aug 31, 2015

@ianlancetaylor I think it's because of "/proc/sys/kernel/unprivileged_userns_clone". I'll move this check to whoamiCmd now.

@kostya-sh
Copy link
Contributor Author

@LK4D4 after echo 1 > /proc/sys/kernel/unprivileged_userns_clone the test passed

@LK4D4
Copy link
Contributor

LK4D4 commented Aug 31, 2015

@kostya-sh Thanks for update.
I tried to move check of this earlier in code here https://go-review.googlesource.com/#/c/14110/
Could you try it, pls?

@gopherbot
Copy link

CL https://golang.org/cl/14110 mentions this issue.

@kostya-sh
Copy link
Contributor Author

@LK4D4 it works (though all tests are skipped):

=== RUN   TestCloneNEWUSERAndRemapRootDisableSetgroups
--- SKIP: TestCloneNEWUSERAndRemapRootDisableSetgroups (0.00s)
    exec_linux_test.go:63: skipping root only test
=== RUN   TestCloneNEWUSERAndRemapRootEnableSetgroups
--- SKIP: TestCloneNEWUSERAndRemapRootEnableSetgroups (0.00s)
    exec_linux_test.go:70: skipping root only test
=== RUN   TestCloneNEWUSERAndRemapNoRootDisableSetgroups
--- SKIP: TestCloneNEWUSERAndRemapNoRootDisableSetgroups (0.00s)
    exec_linux_test.go:31: kernel prohibits user namespace in unprivileged process
=== RUN   TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups
--- SKIP: TestCloneNEWUSERAndRemapNoRootSetgroupsEnableSetgroups (0.00s)
    exec_linux_test.go:31: kernel prohibits user namespace in unprivileged process
=== RUN   TestEmptyCredGroupsDisableSetgroups
--- SKIP: TestEmptyCredGroupsDisableSetgroups (0.00s)
    exec_linux_test.go:31: kernel prohibits user namespace in unprivileged process
PASS
ok      syscall 0.006s

@LK4D4
Copy link
Contributor

LK4D4 commented Aug 31, 2015

@kostya-sh I think it's ok, they should be skipped if it's impossible to clone userns.

@golang golang locked and limited conversation to collaborators Sep 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.6
Development

No branches or pull requests
5 participants
@davecheney @LK4D4 @ianlancetaylor @kostya-sh @gopherbot