Open ryantm opened 7 years ago
More debugging info
The newgrp outside of the shell uses a setuid-wrapper
ryantm@home1 ~ (master)$ which newgrp
/var/setuid-wrappers/newgrp
ryantm@home1 ~ (master)$ nix-shell --pure -p shadow libcap which --command "which newgrp"
warning: Nix search path entry ‘/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs’ does not exist, ignoring
/nix/store/nzx36nwgdy04gwrlfqmrml0w2gh05vnh-shadow-4.2.1/bin/newgrp
The capabilities look the same:
ryantm@home1 ~ (master)$ capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_\
chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit\
_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=1000(ryantm)
gid=100(users)
groups=1(wheel),57(networkmanager),100(users)
ryantm@home1 ~ (master)$ nix-shell --pure -p shadow libcap which --command "capsh --print"
warning: Nix search path entry ‘/nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs’ does not exist, ignoring
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_\
chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit\
_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=1000(ryantm)
gid=100(users)
groups=1(wheel),57(networkmanager),100(users)
Yes, that seems expected to not to work. newgrp
seems to need setuid, and setuid binaries cannot exist in the store; the setuid wrapper indirection must be used.
That's unfortunate, because newgrp
seems like a good way to change a user's primary group temporarily, so the files and folders they create have the correct group.
You can call /var/setuid-wrappers/newgrp
explicitly (it's not pure, of course).
@vcunat That works on Nixos, but not other operating systems.
On other systems there's typically /usr/bin/newgrp
;-)
Related issue: https://github.com/NixOS/nix/issues/1037
I think there needs to be better ergonomics with regards to developing applications that make use of setuid programs inside a nix-shell.
@vcunat Is that now /run/wrappers/bin/
now?
Yes, apparently, but generally one should try to avoid hardcoding such paths.
@vcunat That still doesn't work because it this error:
The value for the SHELL variable was not found the /etc/shells file
This incident has been reported
Is there some sort of change to /etc/shells needed inside a nix-shell?
Are there any updates on this issue, please?
I confirmed this is still an issue with the latest nixpkgs master and nix version 2.2.2.
Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
still important to me
Issue description
When using
newgrp
inside a nix-shell, the group change fails with "setgid: Operation not permitted". newgrp outside of a nix shell works as expected. Also, changing to the current group inside a nix-shell succeeds. I've confirmed this is a problem on Nixos and Ubuntu using Nix. The issue occurs with our without the dash login flag to newgrp.Steps to reproduce
log:
strace: