lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <YW7Cd7c8ycqditff@linaro.org>
Date:   Tue, 19 Oct 2021 10:04:55 -0300
From:   Antonio Terceiro <antonio.terceiro@...aro.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Naresh Kamboju <naresh.kamboju@...aro.org>,
        Sudeep Holla <sudeep.holla@....com>,
        open list <linux-kernel@...r.kernel.org>,
        Shuah Khan <shuah@...nel.org>,
        Florian Fainelli <f.fainelli@...il.com>, patches@...nelci.org,
        lkft-triage@...ts.linaro.org, Jon Hunter <jonathanh@...dia.com>,
        linux-stable <stable@...r.kernel.org>,
        Pavel Machek <pavel@...x.de>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Guenter Roeck <linux@...ck-us.net>,
        Jens Wiklander <jens.wiklander@...aro.org>
Subject: Re: [PATCH 5.14 000/151] 5.14.14-rc1 review

Hi,

On Tue, Oct 19, 2021 at 08:47:58AM +0200, Greg Kroah-Hartman wrote:
> Ah much better, I had an older version of tuxmake here.
> 
> Now it fails with an expected permission problem:
> Error: writing blob: adding layer with blob "sha256:10348114f214e2f07f30fa82aaa743c1750b2a9025cc8bec19f3f4f2b087a96d": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument
> E: Runtime preparation failed: failed to pull remote image docker.io/tuxmake/arm64_gcc-11
> 
> Note, I will not run kernel builds or random containers downloaded from
> the internet as root, sorry :)

Note that podman does *not* run as root by default¹, and that's why
tuxbuild recommends it instead of docker. What it does need, is the
ability to create an unprivileged user namespace. This includes:

- having the `kernel.unprivileged_userns_clone` sysctl set to 1

- having enough UIDs and GIDs in the /etc/sub*id mappings, which is the
  error message you got is complaining about. Just having the following
  lines should be enough:

  $ grep -H terceiro /etc/sub*id
  /etc/subgid:terceiro:100000:65536
  /etc/subuid:terceiro:100000:65536

  On Debian, those are added by default when you created an user
  account. I'm not sure about other systems.

¹ by default in a podman container you are root from the POV of the
  container, but uid 0 in the container is actually mapped to your regular
  UID on the host system.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ