Commit 2bb7dc04 authored by Kirill Smelkov's avatar Kirill Smelkov

trun: Spawn user test with sole regular uid/gid in /etc/{passwd,group} database

Even though libc.opentty stopped to insist on chown(group=tty) for
/dev/pts/*, openssh still wants to do it and fails, preventing sshd from
working. Fix it by spawning test workload with sole current user and
group being present in the password database.

We anyway don't have IDs for users/groups different from current uid/gid
mapped from current namespace, and the kernel, when seeing a file owned
by those, maps them to "nobody/nogroup" for existing files, and rejects
chown to those original IDs obtained from parent's namespace
/etc/{passwd,group} as EINVAL. For the same reason we don't try to mount
our own /dev/pts instance, because we have only current uid/gid mapped
to parent namespace and gid=5 maps to nogroup in parent. With existing
/dev/pts mount entries are only listed as having nogroup, and from
outside they _are_ owned by parent's tty group. If we would mount
/dev/pts anew, parent won't see our /dev/pts/* at all which moves us
a bit more far from desired behaviour.

Still keep root and nobody/nogroup as @jerome reports that without those
users Go tests fail on Debian9:

    nexedi/slapos!1095 (comment 147177)
    nexedi/slapos!1095 (comment 147201)

See added comment about all this for more details.

This patch fixes sshd to work under tryn.py(*)

No test because libc.openpty works both with and without this patch, and
it would need too spawn whole sshd under test to verify this.

(*) the diff for sshd 1) running successfully under regular user, and 2)
    previously failing under trun.py without this patch is below:

    diff --git a/regular-nopam.txt b/trun-nopam.txt
    index 378ccb6..5b96c08 100644
    --- a/regular-nopam.txt
    +++ b/trun-nopam.txt
    @@ -1,4 +1,4 @@
    -(neo) (z-dev) (g.env) kirr@deca:~/tmp/trashme/sshd$ /sbin/sshd -d -p 2222 -h `pwd`/ssh_host_rsa_key -o UsePAM=no
    +kirr@deca:~/tmp/trashme/sshd$ /sbin/sshd -d -p 2222 -h `pwd`/ssh_host_rsa_key -o UsePAM=no
     debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1k  25 Mar 2021
     debug1: private host key #0: ssh-rsa SHA256:y+ujVDqqFBXTclDM2NLy4GME7wReutLcUYOWAeriXdc
     debug1: setgroups() failed: Operation not permitted
    @@ -91,35 +91,13 @@ debug1: session_input_channel_req: session 0 req pty-req
     debug1: Allocating pty.
     debug1: session_new: session 0
     debug1: SELinux support disabled
    -Attempt to write login records by non-root user (aborting)
    -debug1: session_pty_req: session 0 alloc /dev/pts/2
    -debug1: server_input_channel_req: channel 0 request env reply 0
    -debug1: session_by_channel: session 0 channel 0
    -debug1: session_input_channel_req: session 0 req env
    -debug1: server_input_channel_req: channel 0 request shell reply 1
    -debug1: session_by_channel: session 0 channel 0
    -debug1: session_input_channel_req: session 0 req shell
    -Starting session: shell on pts/2 for kirr from 127.0.0.1 port 44106 id 0
    -debug1: Setting controlling tty using TIOCSCTTY.
    -
    -debug1: Received SIGCHLD.
    -debug1: session_by_pid: pid 693948
    -debug1: session_exit_message: session 0 channel 0 pid 693948
    -debug1: session_exit_message: release channel 0
    -debug1: session_by_tty: session 0 tty /dev/pts/2
    -debug1: session_pty_cleanup2: session 0 release /dev/pts/2
    -Attempt to write login records by non-root user (aborting)
    -debug1: session_by_channel: session 0 channel 0
    -debug1: session_close_by_channel: channel 0 child 0
    -Close session: user kirr from 127.0.0.1 port 44106 id 0
    -debug1: channel 0: free: server-session, nchannels 1
    -Received disconnect from 127.0.0.1 port 44106:11: disconnected by user
    -Disconnected from user kirr 127.0.0.1 port 44106
    +chown(/dev/pts/2, 1000, 5) failed: Invalid argument
     debug1: do_cleanup
     debug1: temporarily_use_uid: 1000/1000 (e=1000/1000)
     debug1: restore_uid: (unprivileged)
    +debug1: session_pty_cleanup2: session 0 release /dev/pts/2
    +Attempt to write login records by non-root user (aborting)
    +debug1: audit_event: unhandled event 12
     debug1: do_cleanup
     debug1: temporarily_use_uid: 1000/1000 (e=1000/1000)
     debug1: restore_uid: (unprivileged)
    -debug1: audit_event: unhandled event 12

    (see nexedi/slapos!1095 (comment 147018))

/helped-by @jerome
parent 4e686c9a
Pipeline #18715 running with stage
in 0 seconds