tup only works with sudo ("setgroups: Permission denied")

Question

tup only works with sudo ("setgroups: Permission denied")

Opened this issue 5 months ago · 3 comments

So I just upgraded to ubuntu 24.04.
Now, this is what I get :

$ tup
/proc/11285/setgroups: Permission denied
tup error: Unable to deny setgroups when setting up user namespace.
tup error: master_fork server did not start up correctly.

However, sudo tup works

Answer 1 · 2024-07-06T14:58:58.000Z

GPT and I have been investigating on that.
Turns out apparmor was making the trouble, and this solved the issue for me:

delete /etc/apparmor.d/tup or any file there named after tup
create the file /etc/apparmor.d/usr.local.bin.tup (adapt the filename and file content to your tup path):

#include <tunables/global>
"/usr/local/bin/tup" {
  #include <abstractions/base>
  capability sys_admin,
  mount,umount,
  /** rwk,
  /** ix,
}

run sudo apparmor_parser -r /etc/apparmor.d/usr.local.bin.tup

This basically allows everything tup might have requested for during my tests.
in case I missed anything and you have tup complain about missing rights, you can then run aa-notify -s 1 -v to see what was denied and tune the file above

Answer 2 · 2024-07-23T09:23:30.000Z

I had to add flags=(attach_disconnected) to mine to make it work:

#include <tunables/global>
"/usr/local/bin/tup" flags=(attach_disconnected) {
  #include <abstractions/base>
  capability sys_admin,
  mount,umount,
  /** rwk,
  /** ix,
}

I don't really know anything about AppArmor so I don't know why I needed it and why that worked, but in case other people are having trouble getting it to work, adding that worked for me.

This is what I saw in journalctl -xe before adding it:

Jul 23 10:16:26 mosi kernel: audit: type=1400 audit(1721726186.039:4133): apparmor="DENIED" operation="getattr" class="file" info="Failed name lookup - disconnected path" error=-13 profile="/usr/local/bin/tup" name="home/dan/foo/.tup/tmp/>```

Answer 3 · 2024-09-11T07:45:10.000Z

Ubuntu 22.04 LTS "Jammy".

I have the exact same error message. Nothing tup-related in the journalctl log.

I followed the suggestion above and added the flag, but it didn't help.

My tup is in /usr/bin rather than /usr/local/bin, but I made that change to the AppArmor config above.

If it's any use, here is my aa-notify output:

Profile: /usr/bin/tup
Operation: capable
Name: dac_override
Logfile: /var/log/kern.log

Profile: /usr/bin/tup
Operation: capable
Name: dac_override
Logfile: /var/log/kern.log

Profile: /usr/bin/tup
Operation: capable
Name: dac_override
Logfile: /var/log/kern.log

I don't know how to progress this. Just to get some work done, I'll switch to make. (Ugh.)