-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NixOS setuid wrapper prevent running sudo in user namespace #42117
Comments
Note: this breaks with all security wrappers, not just sudo (just duped with |
I get the same problem with steam-run.
Is there any way around this? |
Sorry for the very late reply, the original Github issue email message must have got lost in my inbox :-/ It has been a while since I've looked at the wrapper code so I will need to familiarize myself first before I can provide an answer to the question asking if it is safe to relax the assertion. I'll see if I can spend some time doing that later today. |
Pinging this: I'm trying to use |
Running the activation script in a chroot in the namespace creates wrappers with the right ownership (though it also reported other errors.) Unfortunately, in the case of trying to drop to regular user with Edit: if you're already root in the namespace, you can also just bypass the wrapper (execute the path in e.g. |
Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:
|
Still a problem, just hit this on 20.03 when trying to use Gitea with nullmailer. |
I also get the same error, but when running a normal appImage (appimage runs fuse):
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/help-with-a-derivation-package/8686/6 |
The same happens to |
Bubblewrap breaks setuid inside containers by design which is what causes the check to fail. Unfortunately, this means that even if the check were removed, the functionality that requires setuid in the first place would just fail later down the line. The only way around this would be passing a message to a setuid binary on the host, as Flatpak does with |
I've the feeling that bubblewrap creates more troubles than it solves, because bubblewrap's goal is to jail apps while (as far as I understand) NixOs only uses bubblewrap to get user namespaces… Wouldn't it be easier for NixOs to simply write a short C code that only provides user namespaces?
|
Nix runs on more than just NixOS and many distros do not have user namespaces enabled for security reasons. |
I seem to have this issue in #126744 (set as duplicate of this issue) |
Duplicate with some more discussion and repro steps: #69338 |
I did some looking into making a unprivileged userns container with unshare, and setuid is non-trivial to work there too. It will be possible to get setuid to a "fake" root, but getting "real" root inside the container doesn't seem possible, as "real" root no longer has uid 0 inside the container. This is probably by design - if a user can create an arbitrary container with an arbitrary host setuid binary, they can surely design the container such that they can escalate privileges (eg. by swapping out libc out from under the setuid binary.) I suppose we could look into a privileged mountns script that drops back to the capabilities of the calling user. |
Just found this in a different situation:
Can't we at least change the wrapper to check for an unshared user namespace and call directly the real binary? It's pretty easy to detect by looking at |
That will only work if we're root in the container, and only for things that a fake root can do (mounts inside the container, but not bind to port 80 or capture packets/trace from host processes, etc...) Correct me if I'm wrong, but the primary use case for userns on Nix is to emulate a FHS distro, but while preserving the user's environment and Nix functionality, is it not? I do have to wonder if we're simply using the wrong tool for that. |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/build-a-yocto-rootfs-inside-nix/2643/28 |
@matthewbauer: Might be related: |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/build-a-yocto-rootfs-inside-nix/2643/29 |
Stumbled upon this as well. Thanks @rnhmjoj, your comment lead me to this general workaround: $ PATH="/run/current-system/sw/bin:$PATH" ./command-that-runs-in-userns.sh This might be overly generic, or might need to be adapted in combination with other environments etc., but seems like a simple workaround. Edit: This version might be a bit cleaner: $ PATH=${PATH//:\/run\/wrappers\/bin/} ./command-that-runs-in-userns.sh It simply removes all entries Edit: Of course this doesn't work for
|
I've had a look into how Flatpak solves this issue and it seems like most apps use Polkit to authenticate. SteamVR (the main reason I'm here) uses it too. AFAIUI, it's an IPC-based privilege escalation mechanism which enables it to work in containers. It needs a privileged daemon on the host of course though. Perhaps we could build a sudo substitute on top of polkit? |
This is quite annoying, it's not explained anywhere that |
The fix is for issue NixOS/nixpkgs#42117 where the unshare in the normal path cannot perform a bind mount inside a fakeroot user namespace on NixOS. This is required to ensure that DNS works properly inside the test environment.
I created an FHS environment so that I could run some sudo nix-shell , and then, once the shell starts, run sudo -u <their-username> bash I also created an example implementation of this workaround. |
On my NixOS, `mount` is a SUID wrapper which fails in a user NS with our UID mapping, like this: Assertion `!(st.st_mode & S_ISUID) || (st.st_uid == geteuid())` in NixOS's wrapper.c failed. That's because in the created NS, the `/run/wrappers/bin/mount` appears to be owned by `nobody:nogroup`. Fortunately, there's also the `/run/current-system/sw/bin/mount` which does not involve any fancy wrappers. So just let me pass `-DMOUNT_EXECUTABLE=/run/current-system/sw/bin/mount` in my local build script. Bug: NixOS/nixpkgs#42117 (comment) Change-Id: If5c601981c69bc179e5e413cc6692a56db65529d
see #231673 |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: |
On NixOS 18.03:
The assertion in question is this:
nixpkgs/nixos/modules/security/wrappers/wrapper.c
Line 203 in f85a82a
If I'm able to to run
sudo -u nobody
outside the user namespace, why should I lose this capability inside a user namespace where I am root?Could the assertion be safely relaxed so that I can still drop privileges to
nobody
inside my faked root environment (using sudo, after executing some commands as that fake root user)?CC @ixmatus
The text was updated successfully, but these errors were encountered: