alpm downloaduser failed retrieving file 'lonewolf.db' from disk

Lone_Wolf · 2025-05-29 10:24:26

$ ls -ld /data /data/lonewolf-repo/
drwxrwxrwt 5 root      root        4096 11 mei 20:12 /data
drwxrws--- 3 panoramix pkgbuilder 12288 24 mei 19:15 /data/lonewolf-repo/
$ 

$ getent group pkgbuilder
pkgbuilder:x:1002:panoramix,alpm,root
$

pacman.conf snippet

DownloadUser = alpm
#DisableSandbox

[lonewolf]
SigLevel = Optional TrustAll
Server = file:///data/lonewolf-repo

$ su -c "pacman -Syu"
Password: 
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 multilib is up to date
 core-debug is up to date
 extra-debug                                          3.8 MiB  1138 KiB/s 00:03 [#############################################] 100%
 multilib-debug is up to date
 lonewolf.db failed to download
error: failed retrieving file 'lonewolf.db' from disk : Couldn't open file /data/lonewolf-repo/lonewolf.db
error: failed to synchronize all databases (failed to retrieve some files)
$

running pacman -Syu from a tty while logged in as root gives the same output .
Commenting out Downloaduser line makes everything work .

# pacman -Syu --debug
debug: pacman v7.0.0 - libalpm v15.0.0
debug: config: new section 'options'
debug: config: HoldPkg: pacman
debug: config: HoldPkg: glibc
debug: config: Architecture: auto
debug: config: arch: x86_64
debug: config: NoExtract: usr/share/dbus-1/system-services/org.freedesktop.RealtimeKit1.service
debug: config: NoExtract: usr/share/dbus-1/system-services/org.freedesktop.UPower.service
debug: config: NoExtract: usr/lib/security/pam_systemd_home.so
debug: config: NoExtract: usr/share/dbus-1/system-services/org.freedesktop.oom1.service
debug: config: NoExtract: usr/share/dbus-1/system-services/org.freedesktop.resolve1.service
debug: config: NoExtract: usr/share/dbus-1/system-services/org.freedesktop.timedate1.service
debug: config: NoExtract: usr/share/dbus-1/system-services/org.freedesktop.timesync1.service
debug: config: NoExtract: usr/share/dbus-1/system-services/org.freedesktop.network1.service
debug: config: verbosepkglists
debug: config: sandboxuser: alpm
debug: config: SigLevel: Required
debug: config: SigLevel: DatabaseOptional
debug: config: LocalFileSigLevel: Optional
debug: config: new section 'core'
debug: config file /etc/pacman.conf, line 84: including /etc/pacman.d/mirrorlist
debug: config: new section 'extra'
debug: config file /etc/pacman.conf, line 90: including /etc/pacman.d/mirrorlist
debug: config: new section 'multilib'
debug: config file /etc/pacman.conf, line 99: including /etc/pacman.d/mirrorlist
debug: config: new section 'core-debug'
debug: config: new section 'extra-debug'
debug: config: new section 'multilib-debug'
debug: config: new section 'lonewolf'
debug: config: SigLevel: Optional
debug: config: SigLevel: TrustAll
debug: config: finished parsing /etc/pacman.conf
debug: setup_libalpm called
debug: option 'logfile' = /var/log/pacman.log
debug: option 'gpgdir' = /etc/pacman.d/gnupg/
debug: option 'hookdir' = /etc/pacman.d/hooks/
debug: option 'cachedir' = /var/cache/pacman/pkg/
debug: registering sync database 'core'
debug: database path for tree core set to /var/lib/pacman/sync/core.db
debug: "/var/lib/pacman/sync/core.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/core.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 599) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for core repository
debug: adding new server URL to database 'core': http://mirror.ams1.nl.leaseweb.net/archlinux/core/os/x86_64
debug: adding new server URL to database 'core': https://geo.mirror.pkgbuild.com/core/os/x86_64
debug: adding new server URL to database 'core': https://mirror.rackspace.com/archlinux/core/os/x86_64
debug: adding new server URL to database 'core': http://ftp.nluug.nl/os/Linux/distr/archlinux/core/os/x86_64
debug: adding new server URL to database 'core': http://mirror.rackspace.com/archlinux/core/os/x86_64
debug: adding new server URL to database 'core': http://ftp.snt.utwente.nl/pub/os/linux/archlinux/core/os/x86_64
debug: adding new server URL to database 'core': http://mirror.cj2.nl/archlinux/core/os/x86_64
debug: adding new server URL to database 'core': http://arch.mirrors.lavatech.top/core/os/x86_64
debug: adding new server URL to database 'core': http://archlinux.mirror.wearetriple.com/core/os/x86_64
debug: registering sync database 'extra'
debug: database path for tree extra set to /var/lib/pacman/sync/extra.db
debug: "/var/lib/pacman/sync/extra.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/extra.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 599) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for extra repository
debug: adding new server URL to database 'extra': http://mirror.ams1.nl.leaseweb.net/archlinux/extra/os/x86_64
debug: adding new server URL to database 'extra': https://geo.mirror.pkgbuild.com/extra/os/x86_64
debug: adding new server URL to database 'extra': https://mirror.rackspace.com/archlinux/extra/os/x86_64
debug: adding new server URL to database 'extra': http://ftp.nluug.nl/os/Linux/distr/archlinux/extra/os/x86_64
debug: adding new server URL to database 'extra': http://mirror.rackspace.com/archlinux/extra/os/x86_64
debug: adding new server URL to database 'extra': http://ftp.snt.utwente.nl/pub/os/linux/archlinux/extra/os/x86_64
debug: adding new server URL to database 'extra': http://mirror.cj2.nl/archlinux/extra/os/x86_64
debug: adding new server URL to database 'extra': http://arch.mirrors.lavatech.top/extra/os/x86_64
debug: adding new server URL to database 'extra': http://archlinux.mirror.wearetriple.com/extra/os/x86_64
debug: registering sync database 'multilib'
debug: database path for tree multilib set to /var/lib/pacman/sync/multilib.db
debug: "/var/lib/pacman/sync/multilib.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/multilib.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 599) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for multilib repository
debug: adding new server URL to database 'multilib': http://mirror.ams1.nl.leaseweb.net/archlinux/multilib/os/x86_64
debug: adding new server URL to database 'multilib': https://geo.mirror.pkgbuild.com/multilib/os/x86_64
debug: adding new server URL to database 'multilib': https://mirror.rackspace.com/archlinux/multilib/os/x86_64
debug: adding new server URL to database 'multilib': http://ftp.nluug.nl/os/Linux/distr/archlinux/multilib/os/x86_64
debug: adding new server URL to database 'multilib': http://mirror.rackspace.com/archlinux/multilib/os/x86_64
debug: adding new server URL to database 'multilib': http://ftp.snt.utwente.nl/pub/os/linux/archlinux/multilib/os/x86_64
debug: adding new server URL to database 'multilib': http://mirror.cj2.nl/archlinux/multilib/os/x86_64
debug: adding new server URL to database 'multilib': http://arch.mirrors.lavatech.top/multilib/os/x86_64
debug: adding new server URL to database 'multilib': http://archlinux.mirror.wearetriple.com/multilib/os/x86_64
debug: registering sync database 'core-debug'
debug: database path for tree core-debug set to /var/lib/pacman/sync/core-debug.db
debug: "/var/lib/pacman/sync/core-debug.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/core-debug.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 599) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for core-debug repository
debug: adding new server URL to database 'core-debug': https://geo.mirror.pkgbuild.com/core-debug/os/x86_64
debug: registering sync database 'extra-debug'
debug: database path for tree extra-debug set to /var/lib/pacman/sync/extra-debug.db
debug: "/var/lib/pacman/sync/extra-debug.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/extra-debug.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 599) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for extra-debug repository
debug: adding new server URL to database 'extra-debug': https://geo.mirror.pkgbuild.com/extra-debug/os/x86_64
debug: registering sync database 'multilib-debug'
debug: database path for tree multilib-debug set to /var/lib/pacman/sync/multilib-debug.db
debug: "/var/lib/pacman/sync/multilib-debug.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/multilib-debug.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 599) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for multilib-debug repository
debug: adding new server URL to database 'multilib-debug': https://geo.mirror.pkgbuild.com/multilib-debug/os/x86_64
debug: registering sync database 'lonewolf'
debug: database path for tree lonewolf set to /var/lib/pacman/sync/lonewolf.db
debug: "/var/lib/pacman/sync/lonewolf.db.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/lonewolf.db.sig could not be opened
debug: got error 43 at _alpm_gpgme_checksig (../lib/libalpm/signing.c: 599) : missing PGP signature
debug: missing optional signature
debug: setting usage of 15 for lonewolf repository
debug: adding new server URL to database 'lonewolf': file:///data/lonewolf-repo
debug: option 'sandboxuser' = alpm
:: Synchronizing package databases...
 core downloading...
 extra downloading...
 multilib downloading...
 core-debug downloading...
 extra-debug downloading...
 multilib-debug downloading...
 lonewolf downloading...
debug: filesystem access has been restricted to /var/lib/pacman/sync/download-GFtNMj/, landlock ABI is 6
debug: core.db: url is http://mirror.ams1.nl.leaseweb.net/archlinux/core/os/x86_64/core.db
debug: core.db: maxsize 134217728
debug: core.db: using time condition 1748415218
debug: core.db: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/core.db.part (wb)
debug: extra.db: url is http://mirror.ams1.nl.leaseweb.net/archlinux/extra/os/x86_64/extra.db
debug: extra.db: maxsize 134217728
debug: extra.db: using time condition 1748509360
debug: extra.db: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/extra.db.part (wb)
debug: multilib.db: url is http://mirror.ams1.nl.leaseweb.net/archlinux/multilib/os/x86_64/multilib.db
debug: multilib.db: maxsize 134217728
debug: multilib.db: using time condition 1748340665
debug: multilib.db: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/multilib.db.part (wb)
debug: core-debug.db: url is https://geo.mirror.pkgbuild.com/core-debug/os/x86_64/core-debug.db
debug: core-debug.db: maxsize 134217728
debug: core-debug.db: using time condition 1748340658
debug: core-debug.db: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/core-debug.db.part (wb)
debug: extra-debug.db: url is https://geo.mirror.pkgbuild.com/extra-debug/os/x86_64/extra-debug.db
debug: extra-debug.db: maxsize 134217728
debug: extra-debug.db: using time condition 1748513273
debug: extra-debug.db: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/extra-debug.db.part (wb)
debug: multilib-debug.db: url is https://geo.mirror.pkgbuild.com/multilib-debug/os/x86_64/multilib-debug.db
debug: multilib-debug.db: maxsize 134217728
debug: multilib-debug.db: using time condition 1748340665
debug: multilib-debug.db: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/multilib-debug.db.part (wb)
debug: lonewolf.db: url is file:///data/lonewolf-repo/lonewolf.db
debug: lonewolf.db: maxsize 134217728
debug: lonewolf.db: using time condition 1748106922
debug: lonewolf.db: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/lonewolf.db.part (wb)
debug: lonewolf.db: curl returned result 37 from transfer
error: failed retrieving file 'lonewolf.db' from disk : Couldn't open file /data/lonewolf-repo/lonewolf.db
debug: lonewolf.db: no more servers to retry
debug: multilib.db: curl returned result 0 from transfer
debug: multilib.db: response code 304
debug: multilib.db.sig: url is http://mirror.ams1.nl.leaseweb.net/archlinux/multilib/os/x86_64/multilib.db.sig
debug: multilib.db.sig: maxsize 16384
debug: multilib.db.sig: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/multilib.db.sig.part (wb)
debug: multilib.db: file met time condition
debug: core.db: curl returned result 0 from transfer
debug: core.db: response code 304
debug: core.db.sig: url is http://mirror.ams1.nl.leaseweb.net/archlinux/core/os/x86_64/core.db.sig
debug: core.db.sig: maxsize 16384
debug: core.db.sig: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/core.db.sig.part (wb)
debug: core.db: file met time condition
debug: extra.db: curl returned result 0 from transfer
debug: extra.db: response code 304
debug: extra.db.sig: url is http://mirror.ams1.nl.leaseweb.net/archlinux/extra/os/x86_64/extra.db.sig
debug: extra.db.sig: maxsize 16384
debug: extra.db.sig: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/extra.db.sig.part (wb)
debug: extra.db: file met time condition
debug: multilib.db.sig: curl returned result 0 from transfer
debug: multilib.db.sig: response code 404
debug: multilib.db.sig: no more servers to retry
debug: core.db.sig: curl returned result 0 from transfer
debug: core.db.sig: response code 404
debug: core.db.sig: no more servers to retry
debug: extra.db.sig: curl returned result 0 from transfer
debug: extra.db.sig: response code 404
debug: extra.db.sig: no more servers to retry
debug: core-debug.db: curl returned result 0 from transfer
debug: core-debug.db: response code 304
debug: core-debug.db.sig: url is https://geo.mirror.pkgbuild.com/core-debug/os/x86_64/core-debug.db.sig
debug: core-debug.db.sig: maxsize 16384
debug: core-debug.db.sig: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/core-debug.db.sig.part (wb)
debug: core-debug.db: file met time condition
debug: multilib-debug.db: curl returned result 0 from transfer
debug: multilib-debug.db: response code 304
debug: multilib-debug.db.sig: url is https://geo.mirror.pkgbuild.com/multilib-debug/os/x86_64/multilib-debug.db.sig
debug: multilib-debug.db.sig: maxsize 16384
debug: multilib-debug.db.sig: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/multilib-debug.db.sig.part (wb)
debug: multilib-debug.db: file met time condition
debug: core-debug.db.sig: curl returned result 0 from transfer
debug: core-debug.db.sig: response code 404
debug: core-debug.db.sig: no more servers to retry
debug: multilib-debug.db.sig: curl returned result 0 from transfer
debug: multilib-debug.db.sig: response code 404
debug: multilib-debug.db.sig: no more servers to retry
debug: extra-debug.db: curl returned result 0 from transfer
debug: extra-debug.db: response code 200
debug: extra-debug.db.sig: url is https://geo.mirror.pkgbuild.com/extra-debug/os/x86_64/extra-debug.db.sig
debug: extra-debug.db.sig: maxsize 16384
debug: extra-debug.db.sig: opened tempfile for download: /var/lib/pacman/sync/download-GFtNMj/extra-debug.db.sig.part (wb)
debug: extra-debug.db.sig: curl returned result 0 from transfer
debug: extra-debug.db.sig: response code 404
debug: extra-debug.db.sig: no more servers to retry
debug: curl_download_internal return code is -1
debug: failed to sync dbs: failed to retrieve some files
error: failed to synchronize all databases (failed to retrieve some files)
debug: unregistering database 'local'
debug: unregistering database 'core'
debug: unregistering database 'extra'
debug: unregistering database 'multilib'
debug: unregistering database 'core-debug'
debug: unregistering database 'extra-debug'
debug: unregistering database 'multilib-debug'
debug: unregistering database 'lonewolf'
#

Whoracle · 2025-05-29 10:56:41

What are the perms of the actual dB file? Just to make sure.

Lone_Wolf · 2025-05-29 11:40:46

$ ls -l /data/lonewolf-repo/ | grep lonewolf
lrwxrwxrwx 1 panoramix pkgbuilder        18 24 mei 19:15 lonewolf.db -> lonewolf.db.tar.xz
-rw-r--r-- 1 panoramix pkgbuilder     18996 24 mei 19:15 lonewolf.db.tar.xz
-rw-r--r-- 1 panoramix pkgbuilder     19000 24 mei 16:41 lonewolf.db.tar.xz.old
lrwxrwxrwx 1 panoramix pkgbuilder        21 24 mei 19:15 lonewolf.files -> lonewolf.files.tar.xz
-rw-r--r-- 1 panoramix pkgbuilder    527592 24 mei 19:15 lonewolf.files.tar.xz
-rw-r--r-- 1 panoramix pkgbuilder    527520 24 mei 16:41 lonewolf.files.tar.xz.old
$

seth · 2025-05-29 14:30:13

stat -L -c '%a %U:%G %n' / /data /data/lonewolf-repo /data # /data/lonewolf-repo/lonewolf.db  - but we have that

Lone_Wolf · 2025-05-29 15:08:40

/data occurred twice in that line, I removed the 2nd one. Added /data/lonewolf-repo/lonewolf.db for completeness.

$ stat -L -c '%a %U:%G %n' / /data /data/lonewolf-repo /data/lonewolf-repo/lonewolf.db
755 root:root /
1777 root:root /data
2770 panoramix:pkgbuilder /data/lonewolf-repo
644 panoramix:pkgbuilder /data/lonewolf-repo/lonewolf.db
$

seth · 2025-05-29 15:14:12

2770 panoramix:pkgbuilder /data/lonewolf-repo

Is the alpm user in the pkgbuilder group?

id alpm

Lone_Wolf · 2025-05-29 15:59:00

$ id alpm
uid=957(alpm) gid=957(alpm) groups=957(alpm),1002(pkgbuilder)
$

yes, it is a member.

seth · 2025-05-29 16:17:19

What if you set the path 2777 ?

Lone_Wolf · 2025-05-29 16:25:49

That would defeat the whole purpose of the pkgbuilder group, but I've tested it .

$ stat -L -c '%a %U:%G %n' /data/lonewolf-repo
2777 panoramix:pkgbuilder /data/lonewolf-repo
$

With that setting & DownloadUser = alpm , pacman -Syu finishes succesfully .

seth · 2025-05-29 16:39:44

It's likey because of the sgid, not sure why.
Why is it (and the suid on /data) set?

cryptearth · 2025-05-29 16:58:12

@seth

google ai wrote:

The SGID bit, when set on a directory, ensures that any files created within that directory will inherit the group ID of the directory, rather than the user's primary group

about SUID on directories: is said to be "mostly" ignored - without examples or furzher details

Lone_Wolf · 2025-05-29 17:13:03

Yup, that is the reason sgid is set .

As for the suid :
/data is actually the sole partition on my secondary drive and mounted through fstab .

# /dev/sda1
UUID=1dfdc9fd-0422-496f-b97f-1a6a4565337c	/data     	ext4      	rw,relatime	0 2

Maybe suid is default ?

seth · 2025-05-29 17:27:46

I know what it does, I can sorta imagine why it's used, but maybe there's an alternative depending on the restrictions.
The main question atm is however whether it's what's throwing pacman off, ie whether 0770 is ok as well.

Lone_Wolf · 2025-05-29 17:50:55

Ran chmod g-s /data/lonewolf-repo

$ stat -L -c '%a %U:%G %n' /data/lonewolf-repo
770 panoramix:pkgbuilder /data/lonewolf-repo
$

With DownloadUser = alpm enabled, pacman -Syu still fails to retrieve the file .

topcat01 · 2025-05-29 18:33:16

I'm curious what exactly happens in the open system call:

# strace -e trace=openat -f --seccomp-bpf -o pacman.trace -- pacman -Syu

Last edited by topcat01 (2025-05-29 18:33:54)

seth · 2025-05-29 18:42:47

My money is on the sandbox dropping the extended users and 0770 (and probably 2770) panoramix:alpm works....

Edit: if not/feasible, 2775 isn't an option?

Last edited by seth (2025-05-29 18:45:41)

topcat01 · 2025-05-29 18:47:21

# su -c 'stat /file.db' alpm

works?

Lone_Wolf · 2025-05-29 21:02:36

topcat01 wrote:

# su -c 'stat /file.db' alpm

works?

no, possibly because alpm has /usr/bin/nologin as a shell.

# su -c 'stat /data/lonewolf-repo/lonewolf.db' alpm
This account is currently not available.

topcat01 wrote:

I'm curious what exactly happens in the open system call:
# strace -e trace=openat -f --seccomp-bpf -o pacman.trace -- pacman -Syu

I uploaded pacman.trace to http://0x0.st/83Mc.csv

seth wrote:

My money is on the sandbox dropping the extended users and 0770 (and probably 2770) panoramix:alpm works....

that seems to work

# chown :alpm -R /data/lonewolf-repo/
# stat -L -c '%a %U:%G %n' /data/lonewolf-repo /data/lonewolf-repo/lonewolf.db
770 panoramix:alpm /data/lonewolf-repo
644 panoramix:alpm /data/lonewolf-repo/lonewolf.db
# pacman -Syu
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 multilib is up to date
 core-debug is up to date
 extra-debug is up to date
 multilib-debug is up to date
 lonewolf is up to date
:: Starting full system upgrade...
 there is nothing to do
#

It feels weird to have an owner that's not a group member.
Using a bind mount to separate alpm group access to the repo from the real user permissions feels much cleaner.

I also wonder how much access the alpm group actually needs, need to test if read-only access is enough.

WorMzy · 2025-05-29 21:35:48

I also wonder how much access the alpm group actually needs, need to test if read-only access is enough.

It is. I have a similar setup to you, I just have alpm have access via 'other' read-only perms.

$ stat -L -c '%a %U:%G %n' /  /repo /repo/x86_64 /repo/x86_64/wormzy.db.tar.xz
755 root:root /
755 wormzy:root /repo
755 wormzy:users /repo/x86_64
644 wormzy:wormzy /repo/x86_64/wormzy.db.tar.xz

$ groups alpm
alpm : alpm

I also suspect the sandbox here. Perhaps the alpm user doesn't inherit the pkgbuilder group membership in the sandbox environment? No idea how to debug that to confirm though.

topcat01 · 2025-05-29 22:20:40

strace filtered on the pid which tries to open the db:

11071 openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 6
11071 openat(AT_FDCWD, "/", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = 8
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/", O_RDONLY|O_CLOEXEC|O_PATH|O_DIRECTORY) = 8
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/core.db.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/extra.db.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/multilib.db.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 9
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/core-debug.db.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 10
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/extra-debug.db.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 11
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/multilib-debug.db.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 12
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/lonewolf.db.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 13
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY <unfinished ...>
11071 <... openat resumed>)             = -1 EACCES (Permission denied)

11071 openat(AT_FDCWD, "/data/lonewolf-repo/lonewolf.db", O_RDONLY <unfinished ...>
11071 <... openat resumed>) = -1 EACCES (Permission denied)

11071 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 21
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/core.db.sig.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 14
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/extra.db.sig.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/multilib.db.sig.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/extra-debug.db.sig.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 9
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/multilib-debug.db.sig.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 6
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 openat(AT_FDCWD, "/var/lib/pacman/sync/download-xJwSiW/core-debug.db.sig.part", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 8
11071 openat(AT_FDCWD, "/root/.netrc", O_RDONLY) = -1 EACCES (Permission denied)
11071 +++ exited with 2 +++

Looks like the sandbox drops the supplementary groups as seth suggested.

seth · 2025-05-29 22:25:34

strace for "setgroups"

topcat01 · 2025-05-29 23:51:43

Excellent suggestion, and what I should have originally suggested.

Allan · 2025-05-30 00:06:17

	const char *denied_syscalls[] = {
		/* kernel modules */
		"delete_module",
		"finit_module",
		"init_module",
		/* mount */
		"chroot",
		"fsconfig",
		"fsmount",
		"fsopen",
		"fspick",
		"mount",
		"mount_setattr",
		"move_mount",
		"open_tree",
		"pivot_root",
		"umount",
		"umount2",
		/* keyring */
		"add_key",
		"keyctl",
		"request_key",
		/* CPU emulation */
		"modify_ldt",
		"subpage_prot",
		"switch_endian",
		"vm86",
		"vm86old",
		/* debug */
		"kcmp",
		"lookup_dcookie",
		"perf_event_open",
		"pidfd_getfd",
		"ptrace",
		"rtas",
		"sys_debug_setcontext",
		/* set clock */
		"adjtimex",
		"clock_adjtime",
		"clock_adjtime64",
		"clock_settime",
		"clock_settime64",
		"settimeofday",
		/* raw IO */
		"ioperm",
		"iopl",
		"pciconfig_iobase",
		"pciconfig_read",
		"pciconfig_write",
		/* kexec */
		"kexec_file_load",
		"kexec_load",
		/* reboot */
		"reboot",
		/* privileged */
		"acct",
		"bpf",
		"capset",
		"chroot",
		"fanotify_init",
		"fanotify_mark",
		"nfsservctl",
		"open_by_handle_at",
		"pivot_root",
		"personality",
		/* obsolete */
		"_sysctl",
		"afs_syscall",
		"bdflush",
		"break",
		"create_module",
		"ftime",
		"get_kernel_syms",
		"getpmsg",
		"gtty",
		"idle",
		"lock",
		"mpx",
		"prof",
		"profil",
		"putpmsg",
		"query_module",
		"security",
		"sgetmask",
		"ssetmask",
		"stime",
		"stty",
		"sysfs",
		"tuxcall",
		"ulimit",
		"uselib",
		"ustat",
		"vserver",
		/* swap */
		"swapon",
		"swapoff",
	};

So... setgroups should be allowed.

seth · 2025-05-30 06:24:23

Allan wrote:

setgroups should be allowed

Et tu, Allan…?

So let's see whether a narly

setgroups(0, NULL);

pops up then…
Spoiler, I straced a pacman download and yes, it does:

…
4443  write(7, "filesystem access has been restr"..., 95) = 95
4441  read(6,  <unfinished ...>
4443  setgid(972 <unfinished ...>
4441  <... read resumed>"\4\0\0\0", 4)  = 4
4443  <... setgid resumed>)             = 0
4443  setgroups(0, NULL)                = 0
4441  read(6,  <unfinished ...>
4443  setuid(972 <unfinished ...>
4441  <... read resumed>"_\0\0\0", 4)   = 4
4443  <... setuid resumed>)             = 0
4441  read(6, "filesystem access has been restr"..., 95) = 95
…

Looks very much intentional, no idea whether it should™ be.

Lone_Wolf · 2025-05-30 07:41:39

$ stat -L -c '%a %U:%G %n' / /data /data/lonewolf-repo /data/lonewolf-repo/lonewolf.db
755 root:root /
1777 root:root /data
750 panoramix:pkgbuilder /data/lonewolf-repo
644 panoramix:pkgbuilder /data/lonewolf-repo/lonewolf.db
$ groups alpm
alpm : alpm pkgbuilder

output of strace -e trace=setgroups -f --seccomp-bpf -o pacman1.trace -- pacman -Syu ran as root

5818  setgroups(0, NULL)                = 0
5820  +++ exited with 0 +++
5819  +++ exited with 0 +++
5821  +++ exited with 0 +++
5823  +++ exited with 0 +++
5822  +++ exited with 0 +++
5824  +++ exited with 0 +++
5818  +++ exited with 2 +++
5817  --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5818, si_uid=957, si_status=2, si_utime=3 /* 0.03 s */, si_stime=3 /* 0.03 s */} ---
5817  +++ exited with 1 +++

Last edited by Lone_Wolf (2025-05-30 07:43:26)

Arch Linux

#1 2025-05-29 10:24:26

alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#2 2025-05-29 10:56:41

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#3 2025-05-29 11:40:46

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#4 2025-05-29 14:30:13

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#5 2025-05-29 15:08:40

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#6 2025-05-29 15:14:12

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#7 2025-05-29 15:59:00

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#8 2025-05-29 16:17:19

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#9 2025-05-29 16:25:49

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#10 2025-05-29 16:39:44

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#11 2025-05-29 16:58:12

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#12 2025-05-29 17:13:03

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#13 2025-05-29 17:27:46

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#14 2025-05-29 17:50:55

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#15 2025-05-29 18:33:16

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#16 2025-05-29 18:42:47

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#17 2025-05-29 18:47:21

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#18 2025-05-29 21:02:36

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#19 2025-05-29 21:35:48

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#20 2025-05-29 22:20:40

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#21 2025-05-29 22:25:34

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#22 2025-05-29 23:51:43

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#23 2025-05-30 00:06:17

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#24 2025-05-30 06:24:23

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

#25 2025-05-30 07:41:39

Re: alpm downloaduser failed retrieving file 'lonewolf.db' from disk

Board footer