The apptainer-suid package version 1.1.8 now in epel-testing has an incompatible change because of a security vulnerability. The change is that a new option "allow setuid-mount extfs" was added which defaults to no, preventing ordinary users from mounting ext3 filesystems in setuid-root mode. Those filesystems are used by a subset of users primarily for the overlay feature which adds changes on top of a base container image. If unprivileged user namespaces are enabled, users will be able to still mount ext3 filesystems by using the "-u/--userns" option or if the apptainer-suid package is removed. If system administrators review the vulnerability description at https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4... and decide they still want to allow setuid-root access to this feature, they can enable it by setting "allow setuid-mount extfs = yes" in /etc/apptainer/apptainer.conf.
This package will not be promoted to the epel repository for at least two weeks, pending approval by the EPEL Steering Committee according to the EPEL incompatible change policy.
Apptainer 1.1.8 release notes are at https://github.com/apptainer/apptainer/releases/tag/v1.1.8
Dave
This change has now been approved by the EPEL Steering Committee and requested to be pushed to stable. I expect it to be in stable sometime tomorrow.
Dave
On Wed, Apr 26, 2023 at 01:07:32PM -0500, Dave Dykstra wrote:
The apptainer-suid package version 1.1.8 now in epel-testing has an incompatible change because of a security vulnerability. The change is that a new option "allow setuid-mount extfs" was added which defaults to no, preventing ordinary users from mounting ext3 filesystems in setuid-root mode. Those filesystems are used by a subset of users primarily for the overlay feature which adds changes on top of a base container image. If unprivileged user namespaces are enabled, users will be able to still mount ext3 filesystems by using the "-u/--userns" option or if the apptainer-suid package is removed. If system administrators review the vulnerability description at https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4... and decide they still want to allow setuid-root access to this feature, they can enable it by setting "allow setuid-mount extfs = yes" in /etc/apptainer/apptainer.conf.
This package will not be promoted to the epel repository for at least two weeks, pending approval by the EPEL Steering Committee according to the EPEL incompatible change policy.
Apptainer 1.1.8 release notes are at https://github.com/apptainer/apptainer/releases/tag/v1.1.8
Dave
epel-devel@lists.fedoraproject.org