From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by sourceware.org (Postfix) with ESMTP id 10C1A3857004 for ; Fri, 17 Jul 2020 21:22:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 10C1A3857004 Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-497-tx75muT2NeeiybQnana1rA-1; Fri, 17 Jul 2020 17:22:06 -0400 X-MC-Unique: tx75muT2NeeiybQnana1rA-1 Received: by mail-qv1-f70.google.com with SMTP id a12so6313253qvt.22 for ; Fri, 17 Jul 2020 14:22:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=K8Ksob8lGko7vkI8JeT20zT0pk7++gtqy72jfFVxI6Y=; b=L2l87AElZmSjijMdJ/A7eg/vr9l80seKJK0xxWmCRHgzI4Qv7NEOI/I4BuVc/gGLdC WUiDh/KzYU61+KBw0MsT3xRn93XIQC2/Jw+KwGaLM+xWtLZnutlLHpjxje9pLyFTHn12 hL2N1UvQoubww9hIpgHg1qUgpcZkwd5mmbwbYWmJwRrLeBFuNslCyJLMLgCL6zH/SKf0 C2Zm61LiUS5BirCYVjs53m0pNJWqcKkeGELy39hXzIdVSwQucBf6YiMnOHZ8VD1VSfdt eD9sk205I/OQKp3bzCsjFJuEpuYfnw3wFUScG/+yVWXW9+q6dls6yzFq1/D/f+Ij/VLA +exg== X-Gm-Message-State: AOAM532y3eaBAQUKmDYSuXZ7RND3fg7elSQiO4WHfwnSfsv+EkJNk2c2 PYf5icBgALvQ42fr7+BIXxILfYGXz0vpwfdWtglnF3CggENTMeLOt6Bkwjga168bnXPRImdli+z Z0uPEGuHMFeTnvWRNzOMk X-Received: by 2002:aed:32e5:: with SMTP id z92mr12501046qtd.328.1595020925487; Fri, 17 Jul 2020 14:22:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJfZ/uC/+WT3LzPZ579ghwiImhbuGrLiUWNfYcbXJXNttB+92MCUgUr9qe1tNAEMVa2U0M8w== X-Received: by 2002:aed:32e5:: with SMTP id z92mr12501029qtd.328.1595020925198; Fri, 17 Jul 2020 14:22:05 -0700 (PDT) Received: from [192.168.1.4] (198-84-170-103.cpe.teksavvy.com. [198.84.170.103]) by smtp.gmail.com with ESMTPSA id n63sm2436797qkf.21.2020.07.17.14.22.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Jul 2020 14:22:04 -0700 (PDT) Subject: Re: [PATCH] nptl: Zero-extend arguments to SETXID syscalls [BZ #26248] To: "H.J. Lu" Cc: Florian Weimer , "H.J. Lu via Libc-alpha" References: <20200716112651.2257283-1-hjl.tools@gmail.com> <87o8ofy8e7.fsf@oldenburg2.str.redhat.com> <56cafa21-37ea-b39e-8c84-afb258f0d17a@redhat.com> <87sgdqp434.fsf@oldenburg2.str.redhat.com> <180ab9db-d012-52c9-736f-437eecafc35b@redhat.com> From: Carlos O'Donell Organization: Red Hat Message-ID: <91e0af7e-5f5c-a994-d7bf-dd94c45dcd71@redhat.com> Date: Fri, 17 Jul 2020 17:22:03 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2020 21:22:20 -0000 On 7/17/20 3:31 PM, H.J. Lu wrote: > On Fri, Jul 17, 2020 at 8:52 AM Carlos O'Donell wrote: >> >> On 7/17/20 11:13 AM, Florian Weimer wrote: >>> * Carlos O'Donell: >>> >>>> This test should run in a container, and it should attempt two setgroups >>>> calls, one with groups and one empty with a bad address. >>> >>> Why do you think this needs a container? >> >> We are trying to successfully call setgroups(), and to do that we need >> CAP_SETGID. The way this test is exercising this is by making the test >> an xtests which can require root and thus you get CAP_SETGID in that way. >> >> My suggestion is to move the test from xtests to tests-container to increase >> the usage of the test. In the container we have a CLONE_NEWUSER so we have >> a distinct usersnamespace that can be used in conjunction with becoming >> root, getting CAP_SETGID, and calling setgroups() without restricting this >> test to `make xcheck`. > > I see su in tst-localedef-path-norm.script. But when I removed "su" from > tst-localedef-path-norm.script, tst-localedef-path-norm still passed. There are The use "su" changes uid_map and gid_map to map our users to user 0 in the container, but doesn't explicitly deny us from writing to the files in the filesytem. The use of "su" in this test was belt-and-suspenders in case some code internally checked the uid/gid values. > [hjl@gnu-cfl-2 build-x86_64-linux]$ ls -l testroot.root > total 44 > drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:16 bin > drwxr-xr-x 2 hjl hjl 4096 Jul 17 12:23 dev > drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:34 etc > drwxr-xr-x 4 hjl hjl 4096 Jul 17 12:23 export > -rw-r--r-- 1 hjl hjl 0 Jul 17 09:16 install.stamp > drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:16 libx32 > -rw-r--r-- 1 hjl hjl 0 Jul 17 12:26 lock.fd > drwxr-xr-x 5 hjl hjl 4096 Jul 17 12:23 output > drwxr-xr-x 2 hjl hjl 4096 Jul 17 12:23 proc > drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:16 sbin > drwxr-xr-x 2 hjl hjl 4096 Jul 17 12:23 tmp > drwxr-xr-x 9 hjl hjl 4096 Jul 17 09:16 usr > drwxr-xr-x 3 hjl hjl 4096 Jul 17 09:34 var > [hjl@gnu-cfl-2 build-x86_64-linux]$ > > I don't think su is needed since testroot.root is owned by me. Correct. >> I see that we don't explicitly say `make xcheck` may require root. >> Is this something I just taught myself implicitly? :-) >> >> Note: We may need to adjust the gid_map writing code in test-container. >> > > Can you help me to make tst-setgroups pass when not running as root? Sure, let me have a look at running it as a test in the container. -- Cheers, Carlos.