Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running apt #6

Open
angelhof opened this issue May 24, 2023 · 11 comments · May be fixed by #145
Open

Running apt #6

angelhof opened this issue May 24, 2023 · 11 comments · May be fixed by #145
Assignees
Labels
bug Something isn't working

Comments

@angelhof
Copy link
Member

Currently try with apt install fails both with sudo in and out of the try:

$ ./try sudo apt install tmux
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /usr/lib/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins
$ sudo ./try apt install tmux
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  tmux
1 upgraded, 0 newly installed, 0 to remove and 227 not upgraded.
Need to get 292 kB of archives.
After this operation, 0 B of additional disk space will be used.
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 105 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
Ign:1 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 tmux amd64 3.0a-2ubuntu0.4
Err:1 http://security.ubuntu.com/ubuntu focal-updates/main amd64 tmux amd64 3.0a-2ubuntu0.4
  Could not open file /var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb - open (13: Permission denied) [IP: 91.189.91.39 80]
W: chown to _apt:root of directory /var/cache/apt/archives/partial failed - SetupAPTPartialDirectory (22: Invalid argument)
W: chmod 0700 of directory /var/cache/apt/archives/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (22: Invalid argument)
W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 105 failed - seteuid (22: Invalid argument)
W: Download is performed unsandboxed as root as file '/var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
W: Problem unlinking the file /var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb - PrepareFiles (13: Permission denied)

Changes detected in the following files:

/tmp/tmp.neLW9gBc4r/upperdir/var/cache/apt/archives/lock
/tmp/tmp.neLW9gBc4r/upperdir/var/lib/dpkg/lock
/tmp/tmp.neLW9gBc4r/upperdir/var/lib/dpkg/lock-frontend

Commit these changes? [y/N]
@angelhof
Copy link
Member Author

The issue seems to have to do with our use of unshare. It seems that unshare offers an option to allow setgroups which is not compatible with --map-root-user, which we need to be able to create the overlay after the first unshare. I think that we might need to implement our own version of unshare to have finer grained control over everything...

@ezrizhu
Copy link
Collaborator

ezrizhu commented Jun 21, 2023

With branch https://github.com/binpash/try/tree/gid-mapping
Using sudo ./try apt update, and editing try to map all users one to one instead of 1000->0, we were able to get it down mostly working.

Err:8 http://archive.ubuntu.com/ubuntu focal-backports InRelease
  Couldn't create temporary file /tmp/apt.conf.u5Mp5Z for passing config to apt-key
Err:9 http://archive.ubuntu.com/ubuntu focal-security InRelease
  Couldn't create temporary file /tmp/apt.conf.ZXyA94 for passing config to apt-key
Fetched 336 kB in 1s (659 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
34 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ubuntu.mirror.constant.com focal InRelease: Couldn't create temporary file /tmp/apt.conf.auyvms for passing config to apt-key

The above error is caused by the user _apt not having permission to /tmp

root@pashtestold:/home/ubuntu/try# sudo -u _apt mktemp
mktemp: failed to create file via template ‘/tmp/tmp.XXXXXXXXXX’: Permission denied

@mgree
Copy link
Contributor

mgree commented Jun 24, 2023

Will mapping all users resolve this?

@mgree mgree added the bug Something isn't working label Jun 24, 2023
@ezrizhu ezrizhu self-assigned this Jun 24, 2023
@ezrizhu
Copy link
Collaborator

ezrizhu commented Jun 24, 2023

Mapping all user fixed some of the issue, now the issue is the _apt user not being able to make tempfiles. See above message

@mgree
Copy link
Contributor

mgree commented Jun 25, 2023

Is this because we haven't mounted a tmpfs in /tmp? Or a perms issue?

@ezrizhu
Copy link
Collaborator

ezrizhu commented Jun 25, 2023 via email

@mgree
Copy link
Contributor

mgree commented Jun 25, 2023 via email

@ezrizhu
Copy link
Collaborator

ezrizhu commented Jun 25, 2023

Maybe our overlaid /tmp is somehow losing it?

Can confirm our overlaid /tmp is losing it.

❯ ls -lah /tmp | head -2
total 5.2M
drwxrwxrwt 416 root root     68K Jun 25 19:13 .
❯ ./try "ls -lah /tmp | head -2"
total 5.1M
drwxr-xr-x   1 root   root    4.0K Jun 25 19:13 .

@ezrizhu
Copy link
Collaborator

ezrizhu commented Jun 25, 2023

Manually adding the sticky bit via chmod +t "$SANDBOX_DIR/temproot/tmp" did not fix the permission errors, although I was able to observer, in the overlayfs, that the sticky bit was set.

Perhaps it is something else in the kernel that is allowing non-root user to write to /tmp?

@mgree
Copy link
Contributor

mgree commented Jun 25, 2023

Ah: the perms are wrong in general. We're losing not only the sticky bit, but the g/a writeable bits!

@ezrizhu
Copy link
Collaborator

ezrizhu commented Jun 25, 2023 via email

@ezrizhu ezrizhu mentioned this issue Jan 13, 2024
3 tasks
@ezrizhu ezrizhu linked a pull request Mar 18, 2024 that will close this issue
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants