From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.1 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=altlinux.org; s=dkim; h=Subject:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:To:From:Date:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=+71imNbQPJk4/2iVs183E7SHNN7a24jKehHw1at2dw0=; b=Z90HRlVPm3yW06oPtfDmmUbRln uFq1EzfFqkbSFnwI07IgzmZW+wxAEfDju+KgpA9mfzkkOm2QbmXy4B71LCu5DkKUuH1gStVHt6Xa7 zaU2t/jkZNSnlPEl1NIZegmgKO1cFgSeVMcOR4StKAOzQB9hfJRueGsMcns+FEPegCRmDtw2wyLVb 0BDXQJ/epUZfjKP5p4NBU/T87gzzDhS3AfINY/s5OWp99pySWLBJHy3CXojvOXz2zpKBFiiJm0VdD PF7z26nGIOvrLz3/2WWCSqA1IvgiT+XfPGhYLzKHKdznbfmIZA/Mibuk07b5rjUX6Utf9nEwj5un0 w/J/xosQ==; Date: Mon, 12 Feb 2024 16:16:41 +0300 From: Arseny Maslennikov To: ALT Linux Team development discussions Message-ID: References: <1bb82ee2-b4d6-4245-9428-6f01ab19bb67@basealt.ru> <20240211221230.GA28464@altlinux.org> <067bf2a1-7222-4959-827d-541d12a2a1fe@basealt.ru> <20240212103406.GB1493@altlinux.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="vgCGKgzk61pLZkHb" Content-Disposition: inline In-Reply-To: OpenPGP: url=http://grep.cs.msu.ru/~ar/pgp-key.asc X-SA-Exim-Connect-IP: 10.7.5.179 X-SA-Exim-Mail-From: arseny@altlinux.org X-SA-Exim-Version: 4.2.1 X-SA-Exim-Scanned: No (on mail.cs.msu.ru); Unknown failure Subject: Re: [devel] I: brp-verify-unit: "... assumes overflowugid credentials" X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2024 13:16:46 -0000 Archived-At: List-Archive: List-Post: --vgCGKgzk61pLZkHb Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 12, 2024 at 01:50:27PM +0300, Anton Farygin wrote: > On 12.02.2024 13:34, Dmitry V. Levin wrote: > > =D0=92=D1=81=D1=91 =D0=BE=D0=B1=D1=81=D1=82=D0=BE=D0=B8=D1=82 =D0=BD=D0= =B5=D1=81=D0=BA=D0=BE=D0=BB=D1=8C=D0=BA=D0=BE =D0=B8=D0=BD=D0=B0=D1=87=D0= =B5. >=20 > =D0=9D=D1=83 =D0=B4=D0=B0, =D0=BD=D0=BE =D1=81=D0=BC=D1=8B=D1=81=D0=BB = =D0=BE=D1=82 =D1=8D=D1=82=D0=BE=D0=B3=D0=BE =D0=BE=D1=81=D0=BE=D0=B1=D0=BE = =D0=BD=D0=B5 =D0=BC=D0=B5=D0=BD=D1=8F=D0=B5=D1=82=D1=81=D1=8F. >=20 > sysctl =D1=8D=D1=82=D0=BE=D1=82, =D1=81=D1=83=D0=B4=D1=8F =D0=BF=D0=BE = =D0=B4=D0=BE=D0=BA=D1=83=D0=BC=D0=B5=D0=BD=D1=82=D0=B0=D1=86=D0=B8=D0=B8, = =D0=B4=D0=BB=D1=8F =D0=BA=D0=B0=D0=BA=D0=B8=D1=85-=D1=82=D0=BE =D1=81=D1=82= =D0=B0=D1=80=D1=8B=D1=85 =D1=84=D0=B0=D0=B9=D0=BB=D0=BE=D0=B2=D1=8B=D1=85 = =D1=81=D0=B8=D1=81=D1=82=D0=B5=D0=BC > =D0=BD=D1=83=D0=B6=D0=B5=D0=BD: >=20 > https://docs.kernel.org/admin-guide/sysctl/fs.html#overflowgid-overflowuid NFS =D1=81 =D0=B5=D0=B3=D0=BE =D0=BB=D0=BE=D0=B3=D0=B8=D0=BA=D0=BE=D0=B9 = =D1=80=D0=B5=D0=BC=D0=B0=D0=BF=D0=BF=D0=B8=D0=BD=D0=B3=D0=B0 =D1=80=D1=83= =D1=82=D0=B0 =D1=82=D1=80=D1=83=D0=B4=D0=BD=D0=BE =D0=BD=D0=B0=D0=B7=D0=B2= =D0=B0=D1=82=D1=8C =D1=81=D1=82=D0=B0=D1=80=D0=BE=D0=B9 =D1=84=D0=B0=D0=B9= =D0=BB=D0=BE=D0=B2=D0=BE=D0=B9 =D1=81=D0=B8=D1=81=D1=82=D0=B5=D0=BC=D0=BE=D0=B9. :) =D0=91=D0=BE=D0=BB=D0=B5=D0=B5 =D1=82=D0=BE=D0=B3=D0=BE, =D0=BF=D0=B8=D1=81= =D1=8C=D0=BC=D0=BE =D0=94=D0=B8=D0=BC=D1=8B =D1=81 =D1=86=D0=B8=D1=82=D0=B0= =D1=82=D0=BE=D0=B9 git grep =D0=BF=D0=BE =D1=8F=D0=B4=D1=80=D1=83 =D0=BC=D0= =B5=D0=BD=D1=8F =D1=81=D0=BF=D0=BE=D0=B4=D0=B2=D0=B8=D0=B3=D0=BB=D0=BE =D1= =83=D0=B7=D0=BD=D0=B0=D1=82=D1=8C =D0=B2=D0=BE=D1=82 =D0=BE=D0=B1 =D1=8D=D1=82=D0=BE=D0=BC: user_namespaces(7): Unmapped user and group IDs There are various places where an unmapped user ID (group ID) may b= e exposed to user space. For example, the first process in a new user namespace may c= all getuid(2) be=E2=80=90 fore a user ID mapping has been defined for the namespace. In most = such cases, an unmapped user ID is converted to the overflow user ID (group ID); = the default value for the overflow user ID (group ID) is 65534. See the descriptions = of /proc/sys/ker=E2=80=90 nel/overflowuid and /proc/sys/kernel/overflowgid in proc(5). The cases where unmapped IDs are mapped in this fashion include syst= em calls that re=E2=80=90 turn user IDs (getuid(2), getgid(2), and similar), credentials passe= d over a UNIX do=E2=80=90 main socket, credentials returned by stat(2), waitid(2), and the Sys= tem V IPC "ctl" IPC_STAT operations, credentials exposed by /proc/pid/status a= nd the files in /proc/sysvipc/*, credentials returned via the si_uid field in the si= ginfo_t received with a signal (see sigaction(2)), credentials written to the proces= s accounting file (see acct(5)), and credentials returned with POSIX message queue no= tifications (see mq_notify(3)). --vgCGKgzk61pLZkHb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE56JD3UKTLEu/ddrm9dQjyAYL01AFAmXKGi0ACgkQ9dQjyAYL 01C9dRAAq5yxr9avok9j44zOQymsu1SZTzUkOt8OVlSduPaVGftbxnIMppozT1ej 6r6gjxtDZhBT4bk8NhkqAcBsbu9uQGxTsIUa4rnOjCM2EohNSnoLm3m/+9K7/zyy 03jbgqMARPe8xaZirKQQcgp9NAr49lnJh8xYQvGHQYGEQt4ky0Hh6o/1EbSqBj9g CeT77MOcM8YJD+8vyyOt8rd7BAjXOR4uFoWnGC6PKBIhuM4QrxcBOI++uiaTtCX/ 06h8tX6vMZ9tHdIVJYmebuETJpyX9oTN+vrOqQynijPFvWYUPh19GCjCEmE3sGtQ +u1U31OCHaSSvXlBBme/NSQKlEZNelUrD9l/TtmTWHHufh32dSW9Dg0g1lXViM7I INptJDy7D+HaKG2LR6mTfx9pG0Pc9ctlfRIoC2Zd4/Zj7K5UVVyGJyXTPhuziyDT IzSCfbLq/gdfmuwcGPvzUB+7lBqzM8GgjHZ99lkpZzOv0SSWxxYwy+TIUl7FDAW1 GCVBPSg3NNjKIP8A6F8R63FPYlm1o7iCFcp7ONef8SoiyxM+7hNH1AfV3dBXKdWO DXrYDf8xezgKe2C2pSxG9M9AzD1181vojZnXYwkfdFfOctCEGtejVTz3Aq9AQouO Y/3T4xaZCljhWAYl8gQpyPARWyrMwjDNcA4iaQsKfD6ELs7f6YM= =nKO/ -----END PGP SIGNATURE----- --vgCGKgzk61pLZkHb--