[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bug#45069: Guix System: unprivileged user cannot create user namespa
From: |
Bengt Richter |
Subject: |
Re: bug#45069: Guix System: unprivileged user cannot create user namespaces? |
Date: |
Tue, 8 Dec 2020 04:20:05 +0100 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
Hi Vagrant,
On +2020-12-07 09:55:31 -0800, Vagrant Cascadian wrote:
> On 2020-12-07, zimoun wrote:
> > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt <mail@ambrevar.xyz> wrote:
> >
> >>> Can you try, as root on Guix System:
> >>>
> >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >>
> >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone
> >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or
> >> directory
> >
> > In gnu/build/linux-container.scm, it reads:
> >
> > --8<---------------cut here---------------start------------->8---
> > (define (unprivileged-user-namespace-supported?)
> > "Return #t if user namespaces can be created by unprivileged users."
> > (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone"))
> > (if (file-exists? userns-file)
> > (eqv? #\1 (call-with-input-file userns-file read-char))
> > #t)))
> > --8<---------------cut here---------------end--------------->8---
> >
> > Does it mean that the Linux kernel on Guix System does not support
> > namespaces by unprivileged users?
>
> > Turning #t to #f should work on Guix System and it appears to me a
> > severe bug if not. What do I miss? Please could someone fill my gap? :-)
>
> The /proc/sys/kernel_unprivileged_userns_clone file is specific to
> Debian and Ubuntu packaged linux kernel; it is a patchset not applied
> upstream, as far as I am aware. I'm not sure if other distros support
> disabling and enabling this feature using this mechanism.
>
>
> https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
>
> live well,
and as virtuously as you are able ... so that spies can't help but admire
and reflect :)
> vagrant
Another data point FYI:
On my pureos system, which is based on debian upstream:
uname -a
=-> Linux LionPure 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18)
x86_64 GNU/Linux
and
ls -l /proc/sys/kernel/unprivileged_userns_clone
-rw-r--r-- 1 root root 0 Dec 8 03:03
/proc/sys/kernel/unprivileged_userns_clone
and (noticing that the items appear to be short and ascii lines, hence
thereupon head :)
--8<---------------cut here---------------start------------->8---
od -a -t x1 /proc/sys/kernel/unprivileged_userns_clone
0000000 0 nl
30 0a
0000002
head /proc/sys/kernel/unprivileged_userns_clone
0
--8<---------------cut here---------------end--------------->8---
Not sure this tells you anything useful, but there is also:
--8<---------------cut here---------------start------------->8---
head /proc/sys/user/*
==> /proc/sys/user/max_cgroup_namespaces <==
128163
==> /proc/sys/user/max_inotify_instances <==
128
==> /proc/sys/user/max_inotify_watches <==
65536
==> /proc/sys/user/max_ipc_namespaces <==
128163
==> /proc/sys/user/max_mnt_namespaces <==
128163
==> /proc/sys/user/max_net_namespaces <==
128163
==> /proc/sys/user/max_pid_namespaces <==
128163
==> /proc/sys/user/max_user_namespaces <==
128163
==> /proc/sys/user/max_uts_namespaces <==
128163
--8<---------------cut here---------------end--------------->8---
HTH some way :)
--
Regards,
Bengt Richter
- Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, (continued)
- Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, zimoun, 2020/12/06
- Re: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, yasu, 2020/12/06
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, Jesse Dowell, 2020/12/06
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, Pierre Neidhardt, 2020/12/07
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, Paul Garlick, 2020/12/07
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, Yasuaki Kudo, 2020/12/07
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, Pierre Neidhardt, 2020/12/07
- bug#45069: Guix System: unprivileged user cannot create user namespaces?, zimoun, 2020/12/07
- Re: bug#45069: Guix System: unprivileged user cannot create user namespaces?, Vagrant Cascadian, 2020/12/07
- Re: bug#45069: Guix System: unprivileged user cannot create user namespaces?, zimoun, 2020/12/07
- Re: bug#45069: Guix System: unprivileged user cannot create user namespaces?,
Bengt Richter <=
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, Paul Garlick, 2020/12/07
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, Pierre Neidhardt, 2020/12/07
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, zimoun, 2020/12/07
- Re: bug#45069: BUG: Re: guix environment: error: cannot create container: unprivileged user cannot create user namespaces, zimoun, 2020/12/07