[lxc-users] Cannot chmod g+s within unprivileged container anymore
Carsten Aulbert
carsten at welcomes-you.com
Thu Dec 21 14:52:57 UTC 2017
Hi all
after a couple of hours searching issues, the interwebs and asking on
IRC, I'm trying it here as I am running out of ideas:
I started on a fresh bare metal host with Debian Stretch in October with
my first lxc steps. The base set-up is simply that I run lxcontainers as
root but within their own ID namespaces. Everything was working as
expected but today I found that /usr/sbin/postqueue and
/usr/sbin/postdrop in a freshly installed Stretch lxc had the access
mode 0555 instead of 2555.
>From within the container chmod succeeds but does not change the mode: I
started after I set the suid bit from the host system:
stat /usr/sbin/postqueue; chmod -v 555 /usr/sbin/postqueue; \
stat /usr/sbin/postqueue; chmod -v 2555 /usr/sbin/postqueue; \
stat /usr/sbin/postqueue
File: /usr/sbin/postqueue
Size: 22600 Blocks: 21 IO Block: 23040 regular file
Device: 85h/133d Inode: 32648 Links: 1
Access: (2555/-r-xr-sr-x) Uid: ( 0/ root) Gid: ( 110/postdrop)
Access: 2017-12-21 09:43:42.000000000 +0000
Modify: 2017-09-27 04:56:28.000000000 +0000
Change: 2017-12-21 09:45:12.736880252 +0000
Birth: -
mode of '/usr/sbin/postqueue' changed from 2555 (r-xr-sr-x) to 0555
(r-xr-xr-x)
File: /usr/sbin/postqueue
Size: 22600 Blocks: 21 IO Block: 23040 regular file
Device: 85h/133d Inode: 32648 Links: 1
Access: (0555/-r-xr-xr-x) Uid: ( 0/ root) Gid: ( 110/postdrop)
Access: 2017-12-21 09:43:42.000000000 +0000
Modify: 2017-09-27 04:56:28.000000000 +0000
Change: 2017-12-21 09:49:47.179075753 +0000
Birth: -
mode of '/usr/sbin/postqueue' retained as 2555 (r-xr-sr-x)
File: /usr/sbin/postqueue
Size: 22600 Blocks: 21 IO Block: 23040 regular file
Device: 85h/133d Inode: 32648 Links: 1
Access: (0555/-r-xr-xr-x) Uid: ( 0/ root) Gid: ( 110/postdrop)
Access: 2017-12-21 09:43:42.000000000 +0000
Modify: 2017-09-27 04:56:28.000000000 +0000
Change: 2017-12-21 09:49:47.187075817 +0000
Birth: -
# from strace
strace -v -s 200 chmod 2555 /usr/sbin/postqueue
[...]
umask(000) = 022
stat("/usr/sbin/postqueue", {st_dev=makedev(0, 133), st_ino=32648,
st_mode=S_IFREG|0555, st_nlink=1, st_uid=0, st_gid=110,
st_blksize=23040, st_blocks=21, st_size=22600,
st_atime=2017-12-21T09:43:42+0000, st_mtime=2017-09-27T04:56:28+0000,
st_ctime=2017-12-21T09:51:56+0000.404108974}) = 0
fchmodat(AT_FDCWD, "/usr/sbin/postqueue", 02555) = 0
close(1) = 0
close(2) = 0
exit_group(0) = ?
+++ exited with 0 +++
I've tried tracing the lxc but no error messages there, also nothing in
log files on the host or within the container. It seems the change is
just silently ignored.
As the suid bit was set in older lxc I suspect something changed on the
system with (recent) upgrades, but as I only found out about this today,
it could have happened a number of days/weeks ago. Recent updates
contained among others
* lxc (2.0.7-2 to 2.0.7-2+deb9u1)
* ZFS (0.6.5.11-1~bpo9+1 to 0.7.3-3~bpo9+1)
* kernel (4.9.51-1 to 4.9.65-3)
but I could not find anything within their changelogs.
Random other bits and pieces:
- lxc-checkconfig shows everything as enabled
- /etc/sub{u,g}id look the same,j ust containing "root:100000:10000000"
- Typical config file looks like:
lxc.rootfs = /vm/lxc/wiki/rootfs
lxc.rootfs.backend = zfs
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
# Container specific configuration
lxc.tty = 4
lxc.utsname = wiki
lxc.arch = amd64
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = vbr0
lxc.network.hwaddr = 00:16:3e:f9:75:81
lxc.network.veth.pair = ve_wiki
lxc.id_map = u 0 1000000 65535
lxc.id_map = g 0 1000000 65535
lxc.start.auto = 1
- all file owners/groups are changed via a script similar to
https://gitlab.com/yeupou/stalag13/blob/master/usr/local/bin/increase-uid-gid.pl
Anyone with an idea what's wrong or what information I should provide to
help finding out what is wrong?
Cheers and thanks a lot in advance
Carsten
More information about the lxc-users
mailing list