sudo fails during rootless build when using btrfs graph driver

[waruiji]

Issue Description

When a containerfile is setup to run sudo as part of container build, the sudo invocation fails when using btrfs as storage backend.
The same containerfile works when overlay is used.

Steps to reproduce the issue

Steps to reproduce the issue

1. Create containerfile with the following content

FROM archlinux:base-devel
RUN useradd --create-home --non-unique --uid 1000 --groups wheel dev
RUN echo '%wheel ALL = NOPASSWD: ALL' >> /etc/sudoers
USER dev:wheel
RUN sudo -l

2. Try to build it with the following command: podman buildx build -f containerfile

Describe the results you received

STEP 5/5: RUN sudo -l
sudo: effective uid is not 0, is /usr/sbin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Describe the results you expected

Successful build.

podman info output

host:
  arch: amd64
  buildahVersion: 1.33.3
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.10-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.10, commit: 2dcd736e46ded79a53339462bc251694b150f870'
  cpuUtilization:
    idlePercent: 97.4
    systemPercent: 0.86
    userPercent: 1.74
  cpus: 20
  databaseBackend: boltdb
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  freeLocks: 2045
  hostname: ohara
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 60388
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 60388
      size: 1
    - container_id: 1
      host_id: 524288
      size: 65536
  kernel: 6.7.1-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 2969165824
  memTotal: 33427738624
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: Unknown
    package: /usr/lib/podman/netavark is owned by netavark 1.10.1-1
    path: /usr/lib/podman/netavark
    version: netavark 1.10.1
  ociRuntime:
    name: crun
    package: /usr/bin/crun is owned by crun 1.14-1
    path: /usr/bin/crun
    version: |-
      crun version 1.14
      commit: 667e6ebd4e2442d39512e63215e79d693d0780aa
      rundir: /run/user/60388/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: ""
    package: ""
    version: ""
  remoteSocket:
    exists: false
    path: /run/user/60388/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.2-1
    version: |-
      slirp4netns version 1.2.2
      commit: 0ee2d87523e906518d34a6b423271e4826f71faf
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.5
  swapFree: 1070829568
  swapTotal: 1073737728
  uptime: 19h 38m 8.00s (Approximately 0.79 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries: {}
store:
  configFile: /home/<redacted>/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: btrfs
  graphOptions: {}
  graphRoot: /home/<redacted>/.local/share/containers/storage
  graphRootAllocated: 999129350144
  graphRootUsed: 964624011264
  graphStatus:
    Build Version: Btrfs v6.7
    Library Version: "102"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 120
  runRoot: /run/user/60388/containers
  transientStore: false
  volumePath: /home/<redacted>/.local/share/containers/storage/volumes
version:
  APIVersion: 4.9.0
  Built: 1706014507
  BuiltTime: Tue Jan 23 13:55:07 2024
  GitCommit: f7c7b0a7e437b6d4849a9fb48e0e779c3100e337-dirty
  GoVersion: go1.21.6
  Os: linux
  OsArch: linux/amd64
  Version: 4.9.0

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[giuseppe]

any reason for preferring btrfs over overlay? Our core team doesn't use or maintain the btrfs backend. It's mainly driven by community efforts.

I'd suggest to follow the warning given by sudo and verify that the sudo binary has the setuid bit set, and the mount options for the file system inside the container.

[waruiji]

No particular reason except thinking that native btrfs support with snapshots would work "better" than overlay.
sudo has the setuid bit set, and it works with overlay driver, so I suppose the problems are in the mount options.

[rhatdan]

Usually this happens because of some additional security tool that has been installed or the directory where the setuid/setfcap files are installed is mounted with NOSUID. Another cause could be if the user account is running with nonewprivs set or does not have CAP_SETUID and CAP_SETGID in the bounding set.

[waruiji]

Here is the setpriv --dump result. It seems fine to me.

uid: ...
euid: ...
gid: ...
egid: ...
Supplementary groups: ..,...
no_new_privs: 0
Inheritable capabilities: [none]
Ambient capabilities: [none]
Capability bounding set: chown,dac_override,dac_read_search,fowner,fsetid,kill, setgid,setuid, setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read,perfmon,bpf,checkpoint_restore
Securebits: [none]
Parent death signal: [none]
AppArmor profile: unconfined

I haven't knowingly installed any other security tool.

[Luap99]

I close this one as it sounds more like environment issue. You need to make sure setuid is allowed for the fs/user