Date: Sat, 02 Sep 2023 10:16:43 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 273517] [Linuxulator]: getxattr EPERM for non-root users inside chroots Message-ID: <bug-273517-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273517 Bug ID: 273517 Summary: [Linuxulator]: getxattr EPERM for non-root users inside chroots Product: Base System Version: 14.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jwmullally@gmail.com Hi, ## Summary: It seems that on FreeBSD 14.0-ALPHA3 for non-root users in Linux chroots, getxattr returns EPERM which causes some coreutils commands to fail (e.g. cp -a), whereas on FreeBSD 13.1 getxattr simply returned EOPNOTSUPP which lets= the tools skip that step and continue successfully. It might be the same issue as https://lists.freebsd.org/archives/freebsd-current/2023-August/004433.html "Possible issue with linux xattr support?" ## Example impact: "apt update" failing in a fresh debootstrap due to "cp -a" failure in the apt-key script, which runs as another user "_apt". This works OK on FreeBSD 13.1. (See here https://forums.freebsd.org/threads/debian-12-bookworm-jail-encounters-gpg-e= rror-in-freebsd-14-0.90093/#post-620794 for more details ) ## Steps to reproduce: ### On fresh install FreeBSD system, where /root homedir is on UFS partition pkg install sysutils/debootstrap kldload linux64 fdescfs linprocfs linsysfs tmpfs service linux onestart cd /root mkdir debian_build cd debian_build mkdir dev dev/fd dev/shm proc sys tmp mount -t linprocfs none `pwd`/proc mount -t devfs none `pwd`/dev mount -t fdescfs none `pwd`/dev/fd mount -t tmpfs none `pwd`/dev/shm mount -t linsysfs none `pwd`/sys mount -t tmpfs none `pwd`/tmp chmod 1777 dev/shm tmp debootstrap bullseye . http://deb.debian.org/debian chroot . /bin/bash ### Inside the chroot adduser --disabled-password --gecos "" someguy su someguy cd /home/someguy ### Comparing cp -a / cp --preserve=3Dmode on both FreeBSD 13 and 14 someguy@freebsd14:~$ uname -a FreeBSD freebsd14 14.0-ALPHA3 FreeBSD 14.0-ALPHA3 amd64 1400097 #0 stable/14-n265022-2af9390e54ed: Fri Aug 25 05:45:56 UTC 2023=20=20=20=20 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 someguy@freebsd13:~$ strace cp --preserve=3Dmode hello hello2 fgetxattr(3, "system.posix_acl_access", 0x7fffffffdcc0, 132) =3D -1 EOPNOTS= UPP (Operation not supported) fsetxattr(4, "system.posix_acl_access", "\2\0\0\0\1\0\6\0\377\377\377\377\4\0\4\0\377\377\377\377 \0\4\0\377\377\377\377", 28, 0) =3D -1 EOPNOTSUPP (Operation not supported) +++ exited with 0 +++ someguy@freebsd14:~$ strace cp --preserve=3Dmode hello hello2 fgetxattr(3, "system.posix_acl_access", 0x7fffffffbd30, 132) =3D -1 EPERM (Operation not permitted) +++ exited with 1 +++ ### ls -l fails on FreeBSD 14 someguy@freebsd14:~$ ls -l ls: hello: Operation not permitted ls: hello2: Operation not permitted total 0K -rw-r--r-- 1 someguy someguy 0 Sep 1 20:11 hello -rw-r--r-- 1 someguy someguy 0 Sep 1 21:14 hello2 someguy@freebsd14:~$ strace ls -l 2>&1 | grep getxattr getxattr("hello", "system.posix_acl_access", NULL, 0) =3D -1 EPERM (Operati= on not permitted) getxattr("hello2", "system.posix_acl_access", NULL, 0) =3D -1 EPERM (Operat= ion not permitted) ### apt update apt-key failure: root@freebsd14:/# ps auxfww root 949 0.0 0.1 13404 2964 ? Ss 15:39 0:00 login [pam] root 950 0.0 0.1 13368 3152 ? S 15:39 0:01 \_ -sh root 25160 0.0 0.2 6036 4400 ? S 18:11 0:03 \_ /bin/bash root 26053 0.0 0.5 14720 11140 ? T 18:25 0:00 \_ apt -oAPT::Status-Fd=3D1 -oDebug::Acquire::gpgv=3D1 update _apt 26056 0.0 0.7 20448 14932 ? T 18:25 0:00 |= =20=20 \_ /usr/lib/apt/methods/http _apt 26058 0.0 0.4 13884 9832 ? T 18:25 0:00 |= =20=20 \_ /usr/lib/apt/methods/gpgv _apt 26059 0.0 0.4 14140 9944 ? T 18:25 0:00 |= =20=20=20=20 \_ /usr/lib/apt/methods/gpgv _apt 26060 0.0 0.0 2464 1652 ? T 18:25 0:00 |= =20=20=20=20 \_ /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.OO1MDD /tmp/apt.data.FtsGdD _apt 26061 0.0 0.0 2376 1552 ? T 18:25 0:00 |= =20=20=20=20 \_ sleep 3600 root@freebsd14:~# su _apt -s /bin/dash $ id uid=3D100(_apt) gid=3D65534(nogroup) groups=3D65534(nogroup) _apt@freebsd14:/$ /bin/sh -x /usr/bin/apt-key --quiet --readonly verify --status-fd 1 /tmp/apt.sig.OO1MDD /tmp/apt.data.FtsGdD # ... + ls -la /tmp/apt-key-gpghome.ptBlRcbxDY ls: /tmp/apt-key-gpghome.ptBlRcbxDY: Operation not permitted ls: /tmp/apt-key-gpghome.ptBlRcbxDY/.: Operation not permitted ls: /tmp/apt-key-gpghome.ptBlRcbxDY/..: Operation not permitted ls: /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg: Operation not permitted total 56K drwx------ 2 _apt root 64 Sep 1 19:41 . drwxrwxrwt 3 root root 256 Sep 1 19:41 .. -rw-r--r-- 1 _apt root 56156 Sep 1 19:41 pubring.gpg + cp -a /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.orig.gpg cp: =E2=80=98/tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg=E2=80=99: Operatio= n not permitted --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273517-227>