gittup / tup

Tup is a file-based build system.
http://gittup.org/tup/
GNU General Public License v2.0
1.18k stars 145 forks source link

tup only works with sudo ("setgroups: Permission denied") #502

Open uohmak4fvpqe opened 5 months ago

uohmak4fvpqe commented 5 months ago

So I just upgraded to ubuntu 24.04. Now, this is what I get :

$ tup
/proc/11285/setgroups: Permission denied
tup error: Unable to deny setgroups when setting up user namespace.
tup error: master_fork server did not start up correctly.

However, sudo tup works

uohmak4fvpqe commented 4 months ago

GPT and I have been investigating on that. Turns out apparmor was making the trouble, and this solved the issue for me:

  1. delete /etc/apparmor.d/tup or any file there named after tup
  2. create the file /etc/apparmor.d/usr.local.bin.tup (adapt the filename and file content to your tup path):
    #include <tunables/global>
    "/usr/local/bin/tup" {
    #include <abstractions/base>
    capability sys_admin,
    mount,umount,
    /** rwk,
    /** ix,
    }
  3. run sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.tup

This basically allows everything tup might have requested for during my tests. in case I missed anything and you have tup complain about missing rights, you can then run aa-notify -s 1 -v to see what was denied and tune the file above

danielytics commented 3 months ago

I had to add flags=(attach_disconnected) to mine to make it work:

#include <tunables/global>
"/usr/local/bin/tup" flags=(attach_disconnected) {
  #include <abstractions/base>
  capability sys_admin,
  mount,umount,
  /** rwk,
  /** ix,
}

I don't really know anything about AppArmor so I don't know why I needed it and why that worked, but in case other people are having trouble getting it to work, adding that worked for me.

This is what I saw in journalctl -xe before adding it:


Jul 23 10:16:26 mosi kernel: audit: type=1400 audit(1721726186.039:4133): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="/usr/local/bin/tup" name="home/dan/foo/.tup/tmp/>```
athajaerel commented 2 months ago

Ubuntu 22.04 LTS "Jammy".

I have the exact same error message. Nothing tup-related in the journalctl log.

I followed the suggestion above and added the flag, but it didn't help.

My tup is in /usr/bin rather than /usr/local/bin, but I made that change to the AppArmor config above.

If it's any use, here is my aa-notify output:

Profile: /usr/bin/tup
Operation: capable
Name: dac_override
Logfile: /var/log/kern.log

Profile: /usr/bin/tup
Operation: capable
Name: dac_override
Logfile: /var/log/kern.log

Profile: /usr/bin/tup
Operation: capable
Name: dac_override
Logfile: /var/log/kern.log

I don't know how to progress this. Just to get some work done, I'll switch to make. (Ugh.)