try
try copied to clipboard
binpash
Running apt
Currently try with apt install fails both with sudo in and out of the try:
$ ./try sudo apt install tmux
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /usr/lib/sudo/sudoers.so must be owned by uid 0
sudo: fatal error, unable to load plugins
$ sudo ./try apt install tmux
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
tmux
1 upgraded, 0 newly installed, 0 to remove and 227 not upgraded.
Need to get 292 kB of archives.
After this operation, 0 B of additional disk space will be used.
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 105 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
Ign:1 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 tmux amd64 3.0a-2ubuntu0.4
Err:1 http://security.ubuntu.com/ubuntu focal-updates/main amd64 tmux amd64 3.0a-2ubuntu0.4
Could not open file /var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb - open (13: Permission denied) [IP: 91.189.91.39 80]
W: chown to _apt:root of directory /var/cache/apt/archives/partial failed - SetupAPTPartialDirectory (22: Invalid argument)
W: chmod 0700 of directory /var/cache/apt/archives/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (22: Invalid argument)
W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 105 failed - seteuid (22: Invalid argument)
W: Download is performed unsandboxed as root as file '/var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
W: Problem unlinking the file /var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/archives/partial/tmux_3.0a-2ubuntu0.4_amd64.deb - PrepareFiles (13: Permission denied)
Changes detected in the following files:
/tmp/tmp.neLW9gBc4r/upperdir/var/cache/apt/archives/lock
/tmp/tmp.neLW9gBc4r/upperdir/var/lib/dpkg/lock
/tmp/tmp.neLW9gBc4r/upperdir/var/lib/dpkg/lock-frontend
Commit these changes? [y/N]
The issue seems to have to do with our use of unshare. It seems that unshare offers an option to allow setgroups which is not compatible with --map-root-user, which we need to be able to create the overlay after the first unshare. I think that we might need to implement our own version of unshare to have finer grained control over everything...
With branch https://github.com/binpash/try/tree/gid-mapping
Using sudo ./try apt update, and editing try to map all users one to one instead of 1000->0, we were able to get it down mostly working.
Err:8 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Couldn't create temporary file /tmp/apt.conf.u5Mp5Z for passing config to apt-key
Err:9 http://archive.ubuntu.com/ubuntu focal-security InRelease
Couldn't create temporary file /tmp/apt.conf.ZXyA94 for passing config to apt-key
Fetched 336 kB in 1s (659 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
34 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ubuntu.mirror.constant.com focal InRelease: Couldn't create temporary file /tmp/apt.conf.auyvms for passing config to apt-key
The above error is caused by the user _apt not having permission to /tmp
root@pashtestold:/home/ubuntu/try# sudo -u _apt mktemp
mktemp: failed to create file via template ‘/tmp/tmp.XXXXXXXXXX’: Permission denied
Mapping all user fixed some of the issue, now the issue is the _apt user not being able to make tempfiles. See above message
On Sat Jun 24, 2023 at 10:09 PM EDT, Michael Greenberg wrote:
Is this because we haven't mounted a
tmpfsin/tmp?
/tmp is mounted just like a noraml fs, running mktemp as _apt throws eaccess.
Running mktemp as normal eric user works, but running sudo -u eric
or as _apt does not work.
***@***.***:~/try$ mktemp
/tmp/tmp.9KnCxNx7iK
***@***.***:~/try$ sudo ./try strace -f -o mktemp sudo -u eric mktemp
mktemp: failed to create file via template ‘/tmp/tmp.XXXXXXXXXX’: Permission denied
Changes detected in the following files:
/tmp/tmp.8SL44ImJ3P/upperdir/root/.sudo_as_admin_successful (modified/added)
/tmp/tmp.8SL44ImJ3P/upperdir/home/eric/try/mktemp (modified/added)
Commit these changes? [y/N] y
***@***.***:~/try$ cat mktemp | grep EACCES
58 openat(AT_FDCWD, "/tmp/tmp.z0u1GvrT08", O_RDWR|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied)
***@***.***:~/try$
Something that's strange tho, is that /tmp is 755, I should not be
able to write to it as user outside of unshare.
drwxrwxrwt 45 root root 12K Jun 24 22:26 tmp
openat(AT_FDCWD, "/tmp/tmp.SHplMFbzMS", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
/tmp is not any mount, just a dir in my ext4 root fs.
Right: it's got the sticky bit. Maybe our overlaid /tmp is somehow losing it?
On 2023-06-24 at 07:28:21 PM, Tianyu (Eric) Zhu wrote:
On Sat Jun 24, 2023 at 10:09 PM EDT, Michael Greenberg wrote:
Is this because we haven't mounted a
tmpfsin/tmp?
/tmpis mounted just like a noraml fs, running mktemp as _apt throws eaccess.Running
mktempas normalericuser works, but runningsudo -u ericor as _apt does not work.***@***.***:~/try$ mktemp /tmp/tmp.9KnCxNx7iK ***@***.***:~/try$ sudo ./try strace -f -o mktemp sudo -u eric mktemp mktemp: failed to create file via template ‘/tmp/tmp.XXXXXXXXXX’: Permission denied Changes detected in the following files: /tmp/tmp.8SL44ImJ3P/upperdir/root/.sudo_as_admin_successful (modified/added) /tmp/tmp.8SL44ImJ3P/upperdir/home/eric/try/mktemp (modified/added) Commit these changes? [y/N] y ***@***.***:~/try$ cat mktemp | grep EACCES 58 openat(AT_FDCWD, "/tmp/tmp.z0u1GvrT08", O_RDWR|O_CREAT|O_EXCL, 0600) = -1 EACCES (Permission denied) ***@***.***:~/try$Something that's strange tho, is that
/tmpis 755, I should not be able to write to it as user outside of unshare.drwxrwxrwt 45 root root 12K Jun 24 22:26 tmpopenat(AT_FDCWD, "/tmp/tmp.SHplMFbzMS", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
/tmpis not any mount, just a dir in my ext4 root fs.-- Reply to this email directly or view it on GitHub: https://github.com/binpash/try/issues/6#issuecomment-1605828206 You are receiving this because you commented.
Message ID: @.***>
Maybe our overlaid
/tmpis somehow losing it?
Can confirm our overlaid /tmp is losing it.
❯ ls -lah /tmp | head -2
total 5.2M
drwxrwxrwt 416 root root 68K Jun 25 19:13 .
❯ ./try "ls -lah /tmp | head -2"
total 5.1M
drwxr-xr-x 1 root root 4.0K Jun 25 19:13 .
Manually adding the sticky bit via chmod +t "$SANDBOX_DIR/temproot/tmp" did not fix the permission errors, although I was able to observer, in the overlayfs, that the sticky bit was set.
Perhaps it is something else in the kernel that is allowing non-root user to write to /tmp?
Ah: the perms are wrong in general. We're losing not only the sticky bit, but the g/a writeable bits!
On Sun Jun 25, 2023 at 7:21 PM EDT, Michael Greenberg wrote:
Ah: the perms are wrong in general. We're losing not only the sticky bit, but the g/a writeable bits!
Oh wow I am blind, yeah.