Closed jD91mZM2 closed 3 years ago
Mic92
commented
3 years ago I mean only using CloneFlags::CLONE_NEWNS instead of CLONE_USER. Also if the tempdir is only deleted by the process not in the chroot than it would not see the bind mounts when cleanup up everything.
jD91mZM2
commented
3 years ago I was unclear, I meant "only" CLONE_NEWUSER when X as if "only in this condition". Of course CLONE_NEWNS should always be used, which is why it's so strange and scary honestly that the binds seemed to show up anyway when running mount to list all mounts
Mic92
commented
3 years ago At least with docker I get:
root@cdcb9eb19dc3:/app# run bash
Finished dev [unoptimized + debuginfo] target(s) in 0.01s
Running `target/debug/nix-user-chroot .nix bash`
thread 'main' panicked at 'unshare failed: Sys(EPERM)', src/main.rs:108:70
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'failed to remove temporary directory: /tmp/.tmpL9ifcs', src/main.rs:186:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtraceadding --privileged makes it work.
jD91mZM2
commented
3 years ago Yay, thanks :smile:
We only used pivot_root in order to temporarily bind /nix to the host and lift in different files. Now, we instead bind everything beforehand and finally do a simple chroot.
As discussed in #22, I kept the
container.shscript.You suggested only using the
CLONE_NEWUSERflag in caseuid != 0, however, that did not work for me. For me, that seemed to not clone the namespace at all (I know, right, wtf?) becausemountlisted the temporary directories we created. I got me a real scare when I realised thattempdirwould probably try to remove the files recursively, although I rebooted and my system doesn't appear to be harmed.Thus, this PR does not tackle the issue you perceived when the user was root. Sorry.