Merge pull request #11779 from abbradar/fhs-root

chroot-user: don't create new user namespace if we are root
author: Nikolay Amiantov <ab@fmap.me> 2016-01-12 14:40:45 +0300
committer: Nikolay Amiantov <ab@fmap.me> 2016-01-12 14:40:45 +0300
commit: 9124e9584b3d952fdd6047bbdf610be0ef1ad45f (patch)
tree: 54d60290230482d9f270f46169fee7f13cf7b206 /pkgs
parent: 6fd00586dd51194a86f495073f9643968b40d960 (diff)
parent: ed4219964d9974aec463070bb639f7013d1ffedf (diff)
download: nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar
nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.gz
nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.bz2
nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.lz
nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.xz
nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.zst
nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.zip
2 files changed, 33 insertions, 17 deletions
diff --git a/pkgs/build-support/build-fhs-chrootenv/env.nix b/pkgs/build-support/build-fhs-chrootenv/env.nix
index c00d3865afa..d28773f00ac 100644
--- a/pkgs/build-support/build-fhs-chrootenv/env.nix
+++ b/pkgs/build-support/build-fhs-chrootenv/env.nix
@@ -56,7 +56,7 @@ let
     export PS1='${name}-chrootenv:\u@\h:\w\$ '
     export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
     export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
-    export PATH='/usr/bin:/usr/sbin'
+    export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin'
     ${profile}
   '';
 
@@ -81,6 +81,11 @@ let
       ln -s /host-etc/resolv.conf resolv.conf
       ln -s /host-etc/nsswitch.conf nsswitch.conf
 
+      # symlink sudo and su stuff
+      ln -s /host-etc/login.defs login.defs
+      ln -s /host-etc/sudoers sudoers
+      ln -s /host-etc/sudoers.d sudoers.d
+
       # symlink other core stuff
       ln -s /host-etc/localtime localtime
       ln -s /host-etc/machine-id machine-id
diff --git a/pkgs/build-support/build-fhs-userenv/chroot-user.rb b/pkgs/build-support/build-fhs-userenv/chroot-user.rb
index 97316ac4369..250e6a90843 100755
--- a/pkgs/build-support/build-fhs-userenv/chroot-user.rb
+++ b/pkgs/build-support/build-fhs-userenv/chroot-user.rb
@@ -53,6 +53,7 @@ $unshare = make_fcall 'unshare', [Fiddle::TYPE_INT], Fiddle::TYPE_INT
 
 MS_BIND = 0x1000
 MS_REC  = 0x4000
+MS_SLAVE  = 0x80000
 $mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP,
                               Fiddle::TYPE_VOIDP,
                               Fiddle::TYPE_VOIDP,
@@ -92,23 +93,31 @@ root = Dir.mktmpdir 'chrootenv'
 # we don't use threads at all.
 $cpid = $fork.call
 if $cpid == 0
-  # Save user UID and GID
-  uid = Process.uid
-  gid = Process.gid
-
-  # Create new mount and user namespaces
-  # CLONE_NEWUSER requires a program to be non-threaded, hence
-  # native fork above.
-  $unshare.call CLONE_NEWNS | CLONE_NEWUSER
-
-  # Map users and groups to the parent namespace
-  begin
-    # setgroups is only available since Linux 3.19
-    write_file '/proc/self/setgroups', 'deny'
-  rescue
+  # If we are root, no need to create new user namespace.
+  if Process.uid == 0
+    $unshare.call CLONE_NEWNS
+    # Mark all mounted filesystems as slave so changes
+    # don't propagate to the parent mount namespace.
+    $mount.call nil, '/', nil, MS_REC | MS_SLAVE, nil
+  else
+    # Save user UID and GID
+    uid = Process.uid
+    gid = Process.gid
+
+    # Create new mount and user namespaces
+    # CLONE_NEWUSER requires a program to be non-threaded, hence
+    # native fork above.
+    $unshare.call CLONE_NEWNS | CLONE_NEWUSER
+
+    # Map users and groups to the parent namespace
+    begin
+      # setgroups is only available since Linux 3.19
+      write_file '/proc/self/setgroups', 'deny'
+    rescue
+    end
+    write_file '/proc/self/uid_map', "#{uid} #{uid} 1"
+    write_file '/proc/self/gid_map', "#{gid} #{gid} 1"
   end
-  write_file '/proc/self/uid_map', "#{uid} #{uid} 1"
-  write_file '/proc/self/gid_map', "#{gid} #{gid} 1"
 
   # Do rbind mounts.
   mounts.each do |from, rto|
@@ -117,6 +126,8 @@ if $cpid == 0
     $mount.call from, to, nil, MS_BIND | MS_REC, nil
   end
 
+  # Don't make root private so privilege drops inside chroot are possible
+  File.chmod(0755, root)
   # Chroot!
   Dir.chroot root
   Dir.chdir '/'
author	Nikolay Amiantov <ab@fmap.me>	2016-01-12 14:40:45 +0300
committer	Nikolay Amiantov <ab@fmap.me>	2016-01-12 14:40:45 +0300
commit	9124e9584b3d952fdd6047bbdf610be0ef1ad45f (patch)
tree	54d60290230482d9f270f46169fee7f13cf7b206 /pkgs
parent	6fd00586dd51194a86f495073f9643968b40d960 (diff)
parent	ed4219964d9974aec463070bb639f7013d1ffedf (diff)
download	nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.gz nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.bz2 nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.lz nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.xz nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.zst nixpkgs-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.zip