From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 08 20:32:31 2020 Received: (at 41575) by debbugs.gnu.org; 9 Sep 2020 00:32:31 +0000 Received: from localhost ([127.0.0.1]:56764 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFo2J-00008m-75 for submit@debbugs.gnu.org; Tue, 08 Sep 2020 20:32:31 -0400 Received: from mail-ej1-f53.google.com ([209.85.218.53]:38988) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kFo2H-00008Z-Er for 41575@debbugs.gnu.org; Tue, 08 Sep 2020 20:32:30 -0400 Received: by mail-ej1-f53.google.com with SMTP id p9so981362ejf.6 for <41575@debbugs.gnu.org>; Tue, 08 Sep 2020 17:32:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KlEcsT+k2b3eyyjEC0INa68pgG2ZNXQrd2N6iF8kbYw=; b=oruAc7ZAKffd64SI4vzHpn2xeSayqndR+NqzHaovk0kHufWRdhYHasp2s433emGyKQ yq8+I0btoM5VXsoF+Cv1Sa5a/r8O0hVIKxDwf1CX71JPhuj14k/C3qfO4yG3GMdKa2dA KhvyI1BkHMFvhIvckJXl0OjtgNZu2S48+job4dUJJ7nEBSYJe+/t3TlolDCpGWYkMsD4 y9OeU8q0wX/ot9L9ECKUvS40S2q+3hBpZTP6NHHQalku0+bEkog49T6NAuVjRoFHMJs7 rqNxYnupiMbGsk2AwHqF68paLBxp4NPlzc0OY5meTGyNGPWZ/OWkX1yi30zMEvCzfxp2 tsXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KlEcsT+k2b3eyyjEC0INa68pgG2ZNXQrd2N6iF8kbYw=; b=QijBaekWMlwwWlq9Q9FhHlPDFWwnrDKPRmDuxCMhJPKnlJMxdURzujyjXSDkJvGMzh 3dac90JYhO0ust+JZV5drdn372sx4oDvNriSchgFOg8YcNA1H3/vJiCOvPbKEkkmm12Y ViwFyX3PoYOQ885wUDoe+mCT7u6qgz2u/KhqGnTZ1AQ9VW4mLFSwekwUJXg7RK8lps55 t3B5XvkrfVaeh17ptcyB1LlQVpQ0tDQqTfVMGaStbuRDhNEATAjvzVPlOljHI1+teREk 1VmR49BTDaWLKLoKWwijLWqKa69NEpnTp8kOaGX21Y0pksGR3m2VmZ9ucbEU0e5I3fz0 5AKQ== X-Gm-Message-State: AOAM533g4A9NKJDEn5omNq3UBEVMkRd46rAUH/oqObLfi40R7tNFRs/U I3D9nc+1IZ1blzdQvmRMwnmjaIn4OSQJf1vxWHcQzEeluTI= X-Google-Smtp-Source: ABdhPJzWPkK7DbVIJslSwGc3sJQvI1ekgfcYeGE4xLYmVTmYd/SLX9IqmTKl9xSlfVmCFqdEGq+vFbPaEOFuVD0ahco= X-Received: by 2002:a17:906:ce4b:: with SMTP id se11mr1063169ejb.386.1599611543159; Tue, 08 Sep 2020 17:32:23 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: conjaroy Date: Tue, 8 Sep 2020 20:31:47 -0400 Message-ID: Subject: Re: Container with openssh-service requires sshd user on the host To: 41575@debbugs.gnu.org Content-Type: multipart/alternative; boundary="000000000000cf093a05aed695b2" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 41575 Cc: edk@beaver-labs.com X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --000000000000cf093a05aed695b2 Content-Type: text/plain; charset="UTF-8" In an eariler bug comment [1] I corroborated that nscd was leaking /etc/passwd information from the host OS into the Guix container, and I wondered aloud why the container would use the host OS's nscd if there was a risk of this happening. I've looked into how Guix configures its own nscd, and it turns out that by default it enables lookups only for `hosts` and `services` - not for `passwd`, `group`, or `netgroup`. Presumably, then, this configuration is sufficient for nscd to prevent the glibc compatibility issues described in the manual [3]. After adding the following 3 lines in nscd.conf on my foreign distro (Debian 10) and restarting nscd, my Guix system containers were able to boot successfully while talking to the daemon: enable-cache passwd no enable-cache group no enable-cache netgroup no So I think the bug here is that the Guix manual page advising the use of nscd on a foreign distro [3] doesn't elaborate on which types of service lookups are safe to enable in the daemon. If Guix is used only to build and run binaries then perhaps it could use nscd for all lookups, but this is evidently not the case for Guix system containers. Cheers, Jason [1] https://www.mail-archive.com/bug-guix@gnu.org/msg19915.html [2] https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/services/base.scm?h=version-1.1.0#n1238 [3] https://guix.gnu.org/manual/en/html_node/Application-Setup.html On Mon, Aug 24, 2020 at 11:15 PM conjaroy wrote: > I've observed this error under similar circumstances: launching a guix > system container script with network sharing enabled, on a foreign disto > (Debian 10) with nscd running. > > Using `strace -f /gnu/store/...-run-container`, we can observe the > container's lookup of user accounts via the foreign distro's nscd socket: > > [pid 16582] socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 11 > [pid 16582] connect(11, {sa_family=AF_UNIX, > sun_path="/var/run/nscd/socket"}, 110) = 0 > [pid 16582] sendto(11, "\2\0\0\0\0\0\0\0\t\0\0\0postgres\0", 21, > MSG_NOSIGNAL, NULL, 0) = 21 > [pid 16582] poll([{fd=11, events=POLLIN|POLLERR|POLLHUP}], 1, 5000) = 1 > ([{fd=11, revents=POLLIN}]) > [pid 16582] read(11, > "\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\377\377\377\377\0\0\0\0\0\0\0\0"..., > 36) = 36 > [pid 16582] close(11) = 0 > > Since the user ("postgres") is indeed missing in the foreign disto, the > lookup fails. In this case, disabling nscd on the foreign distro allowed > the container script to run without error. > > Based on comments in https://issues.guix.info/issue/28128, I see that it > was a deliberate choice to bind-mount the foreign distro's nscd socket > inside the container (instead of starting a separate containerized nscd > instance). But I'm having trouble seeing why it's acceptable to leak state > from the foreign distro's user space into the container. Is there something > I'm missing? > > Cheers, > > Jason > --000000000000cf093a05aed695b2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
In an eariler bug comment [1] I corroborated that nsc= d was leaking /etc/passwd information from the host OS into the Guix contai= ner, and I wondered aloud why the container would use the host OS's nsc= d if there was a risk of this happening.

I've = looked into how Guix configures its own nscd, and it turns out that by defa= ult it enables lookups only for `hosts` and `services` - not for `passwd`, = `group`, or `netgroup`. Presumably, then, this configuration is sufficient = for nscd to prevent the glibc compatibility issues described in the manual = [3].

After adding the following 3 lines in nsc= d.conf on my foreign distro (Debian 10) and restarting nscd, my Guix system= containers were able to boot successfully while talking to the daemon:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0passwd =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0no<= /div>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 enable-cache =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0group =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 no
=C2= =A0 =C2=A0 =C2=A0 =C2=A0 enable-cache =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0netgroup =C2=A0 =C2=A0 =C2=A0 =C2=A0no

S= o I think the bug here is that the Guix manual page advising the use of nsc= d on a foreign distro [3] doesn't elaborate on which types of service l= ookups are safe to enable in the daemon. If Guix is used only to build and = run binaries then perhaps it could use nscd for all lookups, but this is ev= idently not the case for Guix system containers.


Cheers,

Jason

=


On Mon, Aug 24, 2020 at 11:15 PM conjaroy <conjaroy@gmail.com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">
I= 9;ve observed this error under similar circumstances: launching a gui= x system container script with network sharing enabled, on a foreign disto = (Debian 10) with nscd running.

Using `strac= e -f /gnu/store/...-run-container`, we can observe the container's look= up of user accounts via the foreign distro's nscd socket:

[pid 16582] socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_N= ONBLOCK, 0) =3D 11
[pid 16582] connect(11, {sa_family=3DAF_UNIX, sun_pat= h=3D"/var/run/nscd/socket"}, 110) =3D 0
[pid 16582] sendto(11,= "\2\0\0\0\0\0\0\0\t\0\0\0postgres\0", 21, MSG_NOSIGNAL, NULL, 0)= =3D 21
[pid 16582] poll([{fd=3D11, events=3DPOLLIN|POLLERR|POLLHUP}], 1= , 5000) =3D 1 ([{fd=3D11, revents=3DPOLLIN}])
[pid 16582] read(11, "= ;\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\377\377\377\377\377\377\377\377\0\0\0\0\0= \0\0\0"..., 36) =3D 36
[pid 16582] close(11) =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =3D 0

Since the user ("postgres") is indeed missing in the foreign d= isto, the lookup fails. In this case, disabling nscd on the foreign distro = allowed the container script to run without error.

Based on comments in https://issues.guix.info/issue/28128, I see that it = was a deliberate choice to bind-mount the foreign distro's nscd socket = inside the container (instead of starting a separate containerized nscd ins= tance). But I'm having trouble seeing why it's acceptable to leak s= tate from the foreign distro's user space into the container. Is there = something I'm missing?

Cheers,

<= /div>
Jason
--000000000000cf093a05aed695b2--