[bug#67175] [PATCH 4/9] least-authority: Add support for changing UIDs/GIDs before exec.

[Ludovic Courtès]

Hi!

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> * guix/least-authority.scm (least-authority-wrapper): Add #:user
>> and #:group.
>> [code]: Add calls to ‘setgid’ and ‘setuid’ when appropriate.
>>
>> Change-Id: I2aad8e5686b42b5c92fc306b114c5c60cb8bc551
>
> This should mention it fixes bug #67175 :-).

Noted!

>>  (define* (least-authority-wrapper program
>>                                    #:key (name "pola-wrapper")
>> +                                  (user #f)
>> +                                  (group #f)
>>                                    (guest-uid 1000)
>>                                    (guest-gid 1000)
>>                                    (mappings '())
>> @@ -55,7 +57,11 @@ (define* (least-authority-wrapper program
>>  <file-system-mapping> records indicating directories mirrored inside the
>>  execution environment of PROGRAM.  DIRECTORY is the working directory of the
>>  wrapped process.  Each environment listed in PRESERVED-ENVIRONMENT-VARIABLES
>> -is preserved; other environment variables are erased."
>> +is preserved; other environment variables are erased.
>> +
>> +When USER and GROUP are set and NAMESPACES does not include 'user, change 
>> UIDs
>> +and GIDs to these prior to executing PROGRAM.  This usually requires that 
>> the
>> +resulting wrapper be executed as root so it can call setgid(2) and
>>  setuid(2)."
>
> About "usually"; in which case could a programm call to setgid and
> setuid without being root?

On Linux, a non-root process can have ‘CAP_SETGID’ and/or ‘CAP_SETUID’
and successfully call these.

So checking whether the UID is zero would not be accurate (tricky
semantics).  I think it’s safer to let it fail and display the actual
error.

Thanks,
Ludo’.