Re: s6-applyuidgid mode 0700

From: Johannes Nixdorf <mixi_at_shadowice.org>
Date: Mon, 10 Jan 2022 20:29:37 +0100

On Sun, Jan 09, 2022 at 04:31:39PM +0000, Laurent Bercot wrote:
> Unless I'm mistaken, however, s6-setuidgid and s6-applyuidgid really
> don't make any sense for non-root users. Maybe s6-applyuidgid to
> restrict your own supplementary groups or change your primary group,
> and still, that's a stretch.

Yes, you are missing a potential setup for unprivileged user namespaces.
There can be multiple u/gids assigned to a user namespace (usually in
the high >= 100000 range outside the namespace), providing a "fake" root
user (e.g. 100000 outside the namespace) to start with and several
"fake" unprivileged users (e.g. >= 100001 outside the namespace) to drop
to. This is how unmodified distributions can run in the container
solution of your choice without falling over themselves because they
assume there are unprivileged u/gids available when installing packages.

To unprivileged users such ranges are available if they have been
assigned to them by the admin in /etc/sub(u|g)id. Then the suid shadow
utilities newuidmap(1) or newgidmap(1) can be used to create u/gid
mappings. (Normally unprivileged users are only allowed to create a 1
u/gid long range mapping to their own u/gid.)

In such a namespace s6-setuidgid would make sense to use to be able to
drop privileges from that "fake" root to another "fake" unprivileged
user.

> For the "copy a hierarchy" thing, yeah, I can understand that it's
> frustrating. Would 0744 be acceptable?

Yes, 0744 would be acceptable for the "copy a hierarchy thing". The user
namespace thing would require at least 0755 though.
Received on Mon Jan 10 2022 - 20:29:37 CET

This archive was generated by hypermail 2.4.0 : Mon Jan 10 2022 - 20:30:11 CET