I'm creating a bug to keep track of a problem that was uncovered when
attempting to migrate the jami-service-type service to use the
least-authority-wrapper , to avoid forgetting about it.
It was found that using something like:
Toggle snippet (8 lines)
(list (file-append coreutils "/bin/true"))
(mappings (delq 'user %namespaces))
Would fail with EPERM, because in order to be able to drop the user
namespace, the CAP_SYS_ADMIN capability is required, but in the above
case, make-forkexec-constructor has already changed the user to
"nobody", which lacks such capability.
The solution proposed by Ludovic in would be to :
Toggle quote (4 lines)
> [...] add #:user and #:group to ‘least-authority-wrapper’ and
> have it call setuid/setgid. ‘make-forkexec-constructor’ doesn’t need to
> be modified, but the user simply won’t pass #:user and #:group to it.