morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

nspawn: Prevent invalid UIDs propagating in bind mounts (#39729)

Browse Source 
Commit 88fce09026 modified the
mount_bind() function, causing it to perform arithmetic on the uid_shift
parameter. However, it performs this arithmetic even when uid_shift was
UID_INVALID, which was not intended. This typically occurred when
mount_custom() was called for a simple bind mount without user
namespaces (and thus no rootidmap mount option).

This arithmetic (e.g., uid_shift + m->destination_uid) then wraps
around, resulting in the invalid ID 4294967295 ((uid_t)-1).

This bug manifests for users running systemd-nspawn with
--link-journal=host and --volatile=yes (but without --private-users),
causing systemd-tmpfiles to fail.

Make mount_bind() robust by checking if uid_shift is valid before using
it in arithmetic. If it is UID_INVALID, it defaults to a shift of 0 for
the ownership calculation, restoring correct behavior for plain bind
mounts while preserving the intended logic for ID-mapped mounts.

Fixes: #39714
This commit is contained in:
Yu Watanabe
2025-11-16 04:46:18 +09:00
committed by GitHub
parent c15bd80eb9 bb49e719d9
commit c9fc7eb87e
2 changed files with 54 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
test/units/TEST-13-NSPAWN.nspawn.sh
View File

@@ -1477,6 +1477,44 @@ testcase_link_journal_host() {
rm -fr "$root" "$hoge"
}
testcase_volatile_link_journal_no_userns() {
local root machine_id journal_dir acl_output
root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.volatile-journal.XXX)"
create_dummy_container "$root"
machine_id="$(systemd-id128 new)"
echo "$machine_id" >"$root/etc/machine-id"
journal_dir="/var/log/journal/$machine_id"
mkdir -p "$journal_dir"
chown root:root "$journal_dir"
systemd-nspawn --register=no \
--directory="$root" \
--boot \
--volatile=yes \
--link-journal=host \
systemd.unit=systemd-tmpfiles-setup.service
local gid
gid="$(stat -c '%g' "$journal_dir")"
# Ensure GID is not 4294967295 (GID_INVALID)
[[ "$gid" != "4294967295" ]]
# Ensure the directory is owned by a valid user (root or systemd-journal
# group). The GID should be either 0 (root) or the systemd-journal GID, not
# some bombastically large number
[[ "$gid" -lt 65535 ]]
# Ensure the invalid GID doesn't appear in ACLs
acl_output="$(getfacl "$journal_dir" || true)"
grep -q "4294967295" <<< "$acl_output" && exit 1
rm -fr "$root" "$journal_dir"
}
testcase_cap_net_bind_service() {
local root