[Virtio-fs] [virtiofsd] MR opened: Do not call setgroups() for unprivileged user namespace mode
virtiofs-bot at sinrega.org
virtiofs-bot at sinrega.org
Thu Mar 24 22:36:17 UTC 2022
Right now --sandbox=Namespace is broken when called by unprivileged user. Reason being that we call setgroups() and that's not allowed for unprivileged user both outside and inside user namespace.
When unprivileged user is launching user namespace (without help from newuidmap/newgidmap), then it can only map its own id. That means there is no arbitrary swithing of uid/gid. And that also means anything not owned by user will show up as "nobody" and user can not write to that file/dir.
So all this means that we should not have to necessary call setgroups() for this particular mode. This patch gets rid of call for setgroups() for "--sandbox=Namespace" mode when called by unprivileged user. When root starts with "--sandbox=Namespace", setgroups() is still called.
I also picked a patch from Sergio which establishes 1:1 mapping of uid/gid in newly created namespace. So uid outside the user namespace is mapped to same uid inside the user namespace. This is good if user wants to export his/her own home directory into a VM. Without this patch, user owned files show up as nobody which is not very useful at all.
---
https://gitlab.com/virtio-fs/virtiofsd/-/merge_requests/105
More information about the Virtio-fs
mailing list