trun: Spawn user test with sole regular uid/gid in /etc/{passwd,group} database
Even though libc.opentty stopped to insist on chown(group=tty) for /dev/pts/*, openssh still wants to do it and fails, preventing sshd from working. Fix it by spawning test workload with sole current user and group being present in the password database. We anyway don't have IDs for users/groups different from current uid/gid mapped from current namespace, and the kernel, when seeing a file owned by those, maps them to "nobody/nogroup" for existing files, and rejects chown to those original IDs obtained from parent's namespace /etc/{passwd,group} as EINVAL. For the same reason we don't try to mount our own /dev/pts instance, because we have only current uid/gid mapped to parent namespace and gid=5 maps to nogroup in parent. With existing /dev/pts mount entries are only listed as having nogroup, and from outside they _are_ owned by parent's tty group. If we would mount /dev/pts anew, parent won't see our /dev/pts/* at all which moves us a bit more far from desired behaviour. Still keep root and nobody/nogroup as @jerome reports that without those users Go tests fail on Debian9: nexedi/slapos!1095 (comment 147177) nexedi/slapos!1095 (comment 147201) See added comment about all this for more details. This patch fixes sshd to work under tryn.py(*) No test because libc.openpty works both with and without this patch, and it would need too spawn whole sshd under test to verify this. (*) the diff for sshd 1) running successfully under regular user, and 2) previously failing under trun.py without this patch is below: diff --git a/regular-nopam.txt b/trun-nopam.txt index 378ccb6..5b96c08 100644 --- a/regular-nopam.txt +++ b/trun-nopam.txt @@ -1,4 +1,4 @@ -(neo) (z-dev) (g.env) kirr@deca:~/tmp/trashme/sshd$ /sbin/sshd -d -p 2222 -h `pwd`/ssh_host_rsa_key -o UsePAM=no +kirr@deca:~/tmp/trashme/sshd$ /sbin/sshd -d -p 2222 -h `pwd`/ssh_host_rsa_key -o UsePAM=no debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1k 25 Mar 2021 debug1: private host key #0: ssh-rsa SHA256:y+ujVDqqFBXTclDM2NLy4GME7wReutLcUYOWAeriXdc debug1: setgroups() failed: Operation not permitted @@ -91,35 +91,13 @@ debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: session 0 debug1: SELinux support disabled -Attempt to write login records by non-root user (aborting) -debug1: session_pty_req: session 0 alloc /dev/pts/2 -debug1: server_input_channel_req: channel 0 request env reply 0 -debug1: session_by_channel: session 0 channel 0 -debug1: session_input_channel_req: session 0 req env -debug1: server_input_channel_req: channel 0 request shell reply 1 -debug1: session_by_channel: session 0 channel 0 -debug1: session_input_channel_req: session 0 req shell -Starting session: shell on pts/2 for kirr from 127.0.0.1 port 44106 id 0 -debug1: Setting controlling tty using TIOCSCTTY. - -debug1: Received SIGCHLD. -debug1: session_by_pid: pid 693948 -debug1: session_exit_message: session 0 channel 0 pid 693948 -debug1: session_exit_message: release channel 0 -debug1: session_by_tty: session 0 tty /dev/pts/2 -debug1: session_pty_cleanup2: session 0 release /dev/pts/2 -Attempt to write login records by non-root user (aborting) -debug1: session_by_channel: session 0 channel 0 -debug1: session_close_by_channel: channel 0 child 0 -Close session: user kirr from 127.0.0.1 port 44106 id 0 -debug1: channel 0: free: server-session, nchannels 1 -Received disconnect from 127.0.0.1 port 44106:11: disconnected by user -Disconnected from user kirr 127.0.0.1 port 44106 +chown(/dev/pts/2, 1000, 5) failed: Invalid argument debug1: do_cleanup debug1: temporarily_use_uid: 1000/1000 (e=1000/1000) debug1: restore_uid: (unprivileged) +debug1: session_pty_cleanup2: session 0 release /dev/pts/2 +Attempt to write login records by non-root user (aborting) +debug1: audit_event: unhandled event 12 debug1: do_cleanup debug1: temporarily_use_uid: 1000/1000 (e=1000/1000) debug1: restore_uid: (unprivileged) -debug1: audit_event: unhandled event 12 (see nexedi/slapos!1095 (comment 147018)) /helped-by @jerome
Showing
Please register or sign in to comment