-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change std::process to drop supplementary groups based on CAP_SETGID #121650
Conversation
r? @ChrisDenton rustbot has assigned @ChrisDenton. Use r? to explicitly pick a reviewer |
The change was fcp'd and I'd be happy to r+ it on that basis but cc @Amanieu as you expressed specific implementation and documentation concerns in #88716 (comment) |
if let Err(e) = res { | ||
// Here we ignore the case of not having CAP_SETGID. | ||
// An alternative would be to require CAP_SETGID (in | ||
// addition to CAP_SETUID) for setting the UID. | ||
if e.raw_os_error() != Some(libc::EPERM) { | ||
return Err(e.into()); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per #88716 (comment), I think we should fail the call entirely if we were not able to reset the groups after a uid change. Otherwise we could end up in a situation where the uid changed but kept the old groups.
This should not be a problem in practice because CAP_SETGID and CAP_SETUID will almost always come together.
This comment has been minimized.
This comment has been minimized.
I've traced the history of the failing test: it dates all the way back to when The documentation for the However this PR changes The expected impact in practice is small: with a github code search I could only find examples of code that is already running as root dropping down to non-root privileges. @rust-lang/libs-api How do we feel about making this (possibly breaking) change? The previous PR ignored any EPERM errors from |
So, there's a weird interactions with containers here, where if we fail on EPERM, that would potentially break users of Linux containers / user namespaces. In theory, with standard UNIX permissions, it's possible to use supplementary groups as a "negative permission" for something. For instance, in theory you could do this:
And then users who don't have the This is not a very reasonable use of permissions, and almost nobody does this. There are a few random anecdotes of universities having a Linux supports unprivileged creation of user namespaces, and within a user namespace, users can normally call Now, if you're setting up a user namespace, if you don't set up a See The reason I have the context on this:
A quick check on my system shows, for instance, that Firefox creates containers that have As a result of this, if an unprivileged user sets up a user namespace (as happens regularly to sandbox code), and code running within that namespace wants to drop permissions (e.g. going from container-root to container-unprivileged-user), they can call I would propose that if you're getting Thus, I'd propose that we ignore (Separately, we should figure out what to do with the call caused by I also think we should document very clearly what Summary:
|
This reverts commit b4a4ab4. As per rust-lang#121650 (comment)
Added a commit reverting the change. Not squashing to reflect the decision-making process in the commit history. But if you would like me to, I can just reset the branch back to the initial 3a6af84. |
I agree with Josh's summary, let's just revert back to the original version that ignores EPERM errors. r=me once the revert is squashed. |
d7f7f66
to
3a6af84
Compare
I thought GitHub wouldn't re-run the CI for a commit that was already tested before, but whataver. The PR is now "squashed" (actually just reverted back to the first commit). |
@bors r+ |
…iaskrgr Rollup of 10 pull requests Successful merges: - rust-lang#117118 ([AIX] Remove AixLinker's debuginfo() implementation) - rust-lang#121650 (change std::process to drop supplementary groups based on CAP_SETGID) - rust-lang#121764 (Make incremental sessions identity no longer depend on the crate names provided by source code) - rust-lang#122212 (Copy byval argument to alloca if alignment is insufficient) - rust-lang#122322 (coverage: Initial support for branch coverage instrumentation) - rust-lang#122373 (Fix the conflict problem between the diagnostics fixes of lint `unnecessary_qualification` and `unused_imports`) - rust-lang#122479 (Implement `Duration::as_millis_{f64,f32}`) - rust-lang#122487 (Rename `StmtKind::Local` variant into `StmtKind::Let`) - rust-lang#122498 (Update version of cc crate) - rust-lang#122503 (Make `SubdiagMessageOp` well-formed) r? `@ghost` `@rustbot` modify labels: rollup
…iaskrgr Rollup of 10 pull requests Successful merges: - rust-lang#117118 ([AIX] Remove AixLinker's debuginfo() implementation) - rust-lang#121650 (change std::process to drop supplementary groups based on CAP_SETGID) - rust-lang#121764 (Make incremental sessions identity no longer depend on the crate names provided by source code) - rust-lang#122212 (Copy byval argument to alloca if alignment is insufficient) - rust-lang#122322 (coverage: Initial support for branch coverage instrumentation) - rust-lang#122373 (Fix the conflict problem between the diagnostics fixes of lint `unnecessary_qualification` and `unused_imports`) - rust-lang#122479 (Implement `Duration::as_millis_{f64,f32}`) - rust-lang#122487 (Rename `StmtKind::Local` variant into `StmtKind::Let`) - rust-lang#122498 (Update version of cc crate) - rust-lang#122503 (Make `SubdiagMessageOp` well-formed) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#121650 - GrigorenkoPV:cap_setgid, r=Amanieu change std::process to drop supplementary groups based on CAP_SETGID A trivial rebase of rust-lang#95982 Should fix rust-lang#39186 (from what I can tell) Original description: > Fixes rust-lang#88716 > > * Before this change, when a process was given a uid via `std::os::unix::process::CommandExt.uid`, there would be a `setgroups` call (when the process runs) to clear supplementary groups for the child **if the parent was root** (to remove potentially unwanted permissions). > * After this change, supplementary groups are cleared if we have permission to do so, that is, if we have the CAP_SETGID capability. > > This new behavior was agreed upon in rust-lang#88716 but there was a bit of uncertainty from `@Amanieu` here: [rust-lang#88716 (comment)](rust-lang#88716 (comment)) > > > I agree with this change, but is it really necessary to ignore an EPERM from setgroups? If you have permissions to change UID then you should also have permissions to change groups. I would feel more comfortable if we documented set_uid as requiring both UID and GID changing permissions. > > The way I've currently written it, we ignore an EPERM as that's what rust-lang#88716 originally suggested. I'm not at all an expert in any of this so I'd appreciate feedback on whether that was the right way to go.
A trivial rebase of #95982
Should fix #39186 (from what I can tell)
Original description: