• Kirill Smelkov's avatar
    trun: Spawn user test with sole regular uid/gid in /etc/{passwd,group} database · e6b7993c
    Kirill Smelkov authored
    Even though libc.opentty stopped to insist on chown(group=tty) for
    /dev/pts/*, openssh still wants to do it and fails, preventing sshd from
    working. Fix it by spawning test workload with sole current user and
    group being present in the password database.
    
    We anyway don't have IDs for users/groups different from current uid/gid
    mapped from current namespace, and the kernel, when seeing a file owned
    by those, maps them to "nobody/nogroup" for existing files, and rejects
    chown to those original IDs obtained from parent's namespace
    /etc/{passwd,group} as EINVAL. For the same reason we don't try to mount
    our own /dev/pts instance, because we have only current uid/gid mapped
    to parent namespace and gid=5 maps to nogroup in parent. With existing
    /dev/pts mount entries are only listed as having nogroup, and from
    outside they _are_ owned by parent's tty group. If we would mount
    /dev/pts anew, parent won't see our /dev/pts/* at all which moves us
    a bit more far from desired behaviour.
    
    Still keep root and nobody/nogroup as @jerome reports that without those
    users Go tests fail on Debian9:
    
        nexedi/slapos!1095 (comment 147177)
        nexedi/slapos!1095 (comment 147201)
    
    See added comment about all this for more details.
    
    This patch fixes sshd to work under tryn.py(*)
    
    No test because libc.openpty works both with and without this patch, and
    it would need too spawn whole sshd under test to verify this.
    
    (*) the diff for sshd 1) running successfully under regular user, and 2)
        previously failing under trun.py without this patch is below:
    
        diff --git a/regular-nopam.txt b/trun-nopam.txt
        index 378ccb6..5b96c08 100644
        --- a/regular-nopam.txt
        +++ b/trun-nopam.txt
        @@ -1,4 +1,4 @@
        -(neo) (z-dev) (g.env) kirr@deca:~/tmp/trashme/sshd$ /sbin/sshd -d -p 2222 -h `pwd`/ssh_host_rsa_key -o UsePAM=no
        +kirr@deca:~/tmp/trashme/sshd$ /sbin/sshd -d -p 2222 -h `pwd`/ssh_host_rsa_key -o UsePAM=no
         debug1: sshd version OpenSSH_8.4, OpenSSL 1.1.1k  25 Mar 2021
         debug1: private host key #0: ssh-rsa SHA256:y+ujVDqqFBXTclDM2NLy4GME7wReutLcUYOWAeriXdc
         debug1: setgroups() failed: Operation not permitted
        @@ -91,35 +91,13 @@ debug1: session_input_channel_req: session 0 req pty-req
         debug1: Allocating pty.
         debug1: session_new: session 0
         debug1: SELinux support disabled
        -Attempt to write login records by non-root user (aborting)
        -debug1: session_pty_req: session 0 alloc /dev/pts/2
        -debug1: server_input_channel_req: channel 0 request env reply 0
        -debug1: session_by_channel: session 0 channel 0
        -debug1: session_input_channel_req: session 0 req env
        -debug1: server_input_channel_req: channel 0 request shell reply 1
        -debug1: session_by_channel: session 0 channel 0
        -debug1: session_input_channel_req: session 0 req shell
        -Starting session: shell on pts/2 for kirr from 127.0.0.1 port 44106 id 0
        -debug1: Setting controlling tty using TIOCSCTTY.
        -
        -debug1: Received SIGCHLD.
        -debug1: session_by_pid: pid 693948
        -debug1: session_exit_message: session 0 channel 0 pid 693948
        -debug1: session_exit_message: release channel 0
        -debug1: session_by_tty: session 0 tty /dev/pts/2
        -debug1: session_pty_cleanup2: session 0 release /dev/pts/2
        -Attempt to write login records by non-root user (aborting)
        -debug1: session_by_channel: session 0 channel 0
        -debug1: session_close_by_channel: channel 0 child 0
        -Close session: user kirr from 127.0.0.1 port 44106 id 0
        -debug1: channel 0: free: server-session, nchannels 1
        -Received disconnect from 127.0.0.1 port 44106:11: disconnected by user
        -Disconnected from user kirr 127.0.0.1 port 44106
        +chown(/dev/pts/2, 1000, 5) failed: Invalid argument
         debug1: do_cleanup
         debug1: temporarily_use_uid: 1000/1000 (e=1000/1000)
         debug1: restore_uid: (unprivileged)
        +debug1: session_pty_cleanup2: session 0 release /dev/pts/2
        +Attempt to write login records by non-root user (aborting)
        +debug1: audit_event: unhandled event 12
         debug1: do_cleanup
         debug1: temporarily_use_uid: 1000/1000 (e=1000/1000)
         debug1: restore_uid: (unprivileged)
        -debug1: audit_event: unhandled event 12
    
        (see nexedi/slapos!1095 (comment 147018))
    
    /helped-and-reviewed-by @jerome
    /reviewed-on nexedi/nxdtest!13
    e6b7993c
trun.py 7.68 KB