From ef1accae91e490fc7c371f0d0ef50c57f385b232 Mon Sep 17 00:00:00 2001 From: Yegor Timoshenko Date: Wed, 20 Dec 2017 03:02:17 +0000 Subject: [PATCH] chrootenv: print sysctl command for Debian users, fixes #32876 --- .../build-fhs-userenv/chrootenv.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/pkgs/build-support/build-fhs-userenv/chrootenv.c b/pkgs/build-support/build-fhs-userenv/chrootenv.c index 8d6c98959cc9..97e69b7d0b22 100644 --- a/pkgs/build-support/build-fhs-userenv/chrootenv.c +++ b/pkgs/build-support/build-fhs-userenv/chrootenv.c @@ -98,10 +98,12 @@ int nftw_rm(const char *path, const struct stat *sb, int type, #define LEN(x) sizeof(x) / sizeof(*x) +#define REQUIREMENTS "Linux version >= 3.19 built with CONFIG_USER_NS option" + int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s command [arguments...]\n" - "Requires Linux kernel >= 3.19 with CONFIG_USER_NS.\n", + "Requires " REQUIREMENTS ".\n", argv[0]); exit(EX_USAGE); } @@ -128,7 +130,7 @@ int main(int argc, char *argv[]) { // If we are root, no need to create new user namespace. if (uid == 0) { if (unshare(CLONE_NEWNS) < 0) - errorf(EX_OSERR, "unshare() failed: You may have an old kernel or have CLONE_NEWUSER disabled by your distribution security settings."); + errorf(EX_OSERR, "unshare: requires " REQUIREMENTS); // Mark all mounted filesystems as slave so changes // don't propagate to the parent mount namespace. if (mount(NULL, "/", NULL, MS_REC | MS_SLAVE, NULL) < 0) @@ -136,8 +138,13 @@ int main(int argc, char *argv[]) { } else { // Create new mount and user namespaces. CLONE_NEWUSER // requires a program to be non-threaded. - if (unshare(CLONE_NEWNS | CLONE_NEWUSER) < 0) - errorf(EX_OSERR, "unshare"); + if (unshare(CLONE_NEWNS | CLONE_NEWUSER) < 0) { + if (access("/tmp/proc/sys/kernel/unprivileged_userns_clone", F_OK) < 0) + errorf(EX_OSERR, "unshare: requires " REQUIREMENTS); + else + errorf(EX_OSERR, "unshare: run `sudo sysctl -w " + "kernel.unprivileged_userns_clone=1`"); + } // Map users and groups to the parent namespace. // setgroups is only available since Linux 3.19: @@ -170,7 +177,8 @@ int main(int argc, char *argv[]) { if (waitpid(cpid, &status, 0) < 0) errorf(EX_OSERR, "waitpid"); - if (nftw(root, nftw_rm, getdtablesize(), FTW_DEPTH | FTW_MOUNT | FTW_PHYS) < 0) + if (nftw(root, nftw_rm, getdtablesize(), FTW_DEPTH | FTW_MOUNT | FTW_PHYS) < + 0) errorf(EX_IOERR, "nftw"); if (WIFEXITED(status))