Bug 1416600
Summary: | A few folders in /usr are not owner-writable | ||
---|---|---|---|
Product: | [Fedora] Fedora Container Images | Reporter: | Felix Abecassis <felix.abecassis> |
Component: | mirrormanager2-mirrorlist | Assignee: | Patrick Uiterwijk <puiterwijk> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | awilliam, pmatilai, puiterwijk, sgrubb, shigorin, walters |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-27 22:45:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Felix Abecassis
2017-01-26 01:13:42 UTC
For the impact on Singularity, see this comment from one of its maintainer: https://github.com/CentOS/sig-cloud-instance-images/issues/67#issuecomment-264596653 On the original GitHub bug report mentioned in the description, the culprit seems to be the "filesystem" package since CentOS 6: https://github.com/CentOS/sig-cloud-instance-images/issues/67#issuecomment-275631819 Note that this issue also creates complications in the context of user namespaces, see this comment: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1659087/comments/8 Receiving EOVERFLOW when your UID is not part of the user namespace seems to be the new behavior that upstream will follow, setfsuid/setfsgid must be used instead, but when the rootfs has weird permissions like that, you must also enable CAP_DAC_OVERRIDE to make it work. *** This bug has been marked as a duplicate of bug 517575 *** well, this isn't strictly speaking a *dupe*, because that was the bug that actually *requested the change in the first place*; this bug is reporting a problem *caused by* that change. that's why I set See Also, not duplicate. but it's not a big deal. That bug looks like a formal public announcement of a (stupid) thing to do; the problem created was briefly discussed there as well indeed: https://bugzilla.redhat.com/show_bug.cgi?id=517575#c2 I've asked Dmitry Levin since and IIRC he didn't see any real security benefit in the change made as well. |