Bug#953674: nautilus: Thumbnail generation silently fails without unprivileged_userns_clone

Ian Wienand ian at wienand.org
Thu Mar 12 09:01:50 GMT 2020 

Interesting, I haven't changed it and it set setuid; exactly the same as
yours.

$ ls -l /usr/bin/bwrap
-rwsr-xr-x 1 root root 59680 Nov 28 22:14 /usr/bin/bwrap

There's no oddness in my mounts; / is just a plain old ext4 and doesn't
have suid or anything set

/dev/mapper/jj--vg-root / ext4 rw,relatime,errors=remount-ro 0 0

non-modified kernel

$ uname -a
Linux jj 5.4.0-4-amd64 #1 SMP Debian 5.4.19-1 (2020-02-13) x86_64 GNU/Linux

It's the clone that fails:

7836  stat("/proc/self/ns/cgroup", {st_mode=S_IFREG|0444, st_size=0, ...})
= 0
7836  eventfd2(0, EFD_CLOEXEC)          = 5
7836  clone(child_stack=NULL,
flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD)
= -1 EPERM (Operation not permitted)
7836  write(2, "bwrap: ", 7)            = 7
7836  write(2, "No permissions to creating new namespace, likely because
the kernel does not allow non-privileged user namespaces. On e.g. debian
this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.", 199
<unfinished ...>

On Thu, Mar 12, 2020 at 6:56 PM Simon McVittie <smcv at debian.org> wrote:

> On Thu, 12 Mar 2020 at 17:14:12 +1100, Ian Wienand wrote:
> > 7836  write(2, "No permissions to creating new namespace, likely because
> the kernel does not allow non-privileged user namespaces. On e.g. debian
> this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.", 199
> <unfinished ...>
> > ---
> >
> > Setting kernel.unprivileged_userns_clone = 1 made thumbnails work again.
>
> Is /usr/bin/bwrap setuid root? If you haven't changed it, its permissions
> should be something like this:
>
> $ ls -l /usr/bin/bwrap
> -rwsr-xr-x 1 root root 59680 Nov 28 11:14 /usr/bin/bwrap
>
> It's meant to work on Debian kernels if it is setuid root *or*
> if the kernel.unprivileged_userns_clone sysctl is set to 1.
>
>     smcv
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20200312/96ee7807/attachment.html>

More information about the pkg-gnome-maintainers mailing list