Swap --share-user with --unshare-user, but auto-unshare if !setuid

We have to support two different ways to run: - As setuid root, for systems without unprivileged userns support - Non-setuid, but require unprivileged userns The fact that we exposed `--share-user` is awkward, because it forced tools that want to work in both case to basically reimplement the logic for detecting userns support, if they didn't care whether or not userns was enabled. For example in the case of `demos/bubblewrap-shell.sh` where we share the invoking UID. This commit changes things so we now default to `--unshare-user` if we're *not* installed privileged, since it's a requirement. The end result here is that we just work out of the box in more scenarios; callers that require the uid mapping portion of userns will still be passing `--uid`, and this will still properly fail if the kernel doesn't have userns. Closes: #36 Closes: #37 Approved by: alexlarsson
author: Colin Walters <walters@verbum.org> 2016-04-22 11:09:15 -0400
committer: Colin Walters (automation) <walters+githubbot@verbum.org> 2016-04-26 08:54:10 +0000
commit: c0725af71d9ae80968101842d6eb99b926693059 (patch)
tree: 2e43a7720e55cfe789a1139ab2b823890337b37b
parent: 7668e6e086a88e206d4d74d3541254a4ab3ecc46 (diff)
download: bubblewrap-c0725af71d9ae80968101842d6eb99b926693059.tar.gz
1 files changed, 12 insertions, 11 deletions
diff --git a/bubblewrap.c b/bubblewrap.c
index 8adf5c6..721a158 100644
--- a/bubblewrap.c
+++ b/bubblewrap.c
@@ -136,13 +136,13 @@ usage (int ecode)
            "	--help			     Print this help\n"
            "	--version		     Print version\n"
            "	--args FD		     Parse nul-separated args from FD\n"
-           "	--share-user		     Don't create new user namespace\n"
+           "	--unshare-user		     Create new user namespace (may be automatically implied if not setuid)\n"
            "	--unshare-ipc		     Create new ipc namespace\n"
            "	--unshare-pid		     Create new pid namespace\n"
            "	--unshare-net		     Create new network namespace\n"
            "	--unshare-uts		     Create new uts namespace\n"
-           "	--uid UID		     Custom uid in the sandbox (incompatible with --share-user)\n"
-           "	--gid GID		     Custon gid in the sandbox (incompatible with --share-user)\n"
+           "	--uid UID		     Custom uid in the sandbox (requires --unshare-user)\n"
+           "	--gid GID		     Custon gid in the sandbox (requires --unshare-user)\n"
            "	--chdir DIR		     Change directory to DIR\n"
            "	--setenv VAR VALUE	     Set an environment variable\n"
            "	--unsetenv VAR		     Unset an environment variable\n"
@@ -773,7 +773,7 @@ read_priv_sec_op (int read_socket,
 }
 
 char *opt_chdir_path = NULL;
-bool opt_unshare_user = TRUE;
+bool opt_unshare_user = FALSE;
 bool opt_unshare_pid = FALSE;
 bool opt_unshare_ipc = FALSE;
 bool opt_unshare_net = FALSE;
@@ -859,8 +859,8 @@ parse_args (int *argcp,
           argv += 1;
           argc -= 1;
         }
-      else if (strcmp (arg, "--share-user") == 0)
-        opt_unshare_user = FALSE;
+      else if (strcmp (arg, "--unshare-user") == 0)
+        opt_unshare_user = TRUE;
       else if (strcmp (arg, "--unshare-ipc") == 0)
         opt_unshare_ipc = TRUE;
       else if (strcmp (arg, "--unshare-pid") == 0)
@@ -1176,8 +1176,9 @@ main (int argc,
 
   parse_args (&argc, &argv);
 
-  if (!opt_unshare_user && !is_privileged)
-    die ("bubblewrap is not privileged, --share-user not supported");
+  /* We have to do this if we weren't installed setuid, so let's just DWIM */
+  if (!is_privileged)
+    opt_unshare_user = TRUE;
 
   if (argc == 0)
     usage (EXIT_FAILURE);
@@ -1192,10 +1193,10 @@ main (int argc,
     opt_sandbox_gid = gid;
 
   if (!opt_unshare_user && opt_sandbox_uid != uid)
-    die ("Specifying --uid not compatible with --share-user");
+    die ("Specifying --uid requires --unshare-user");
 
   if (!opt_unshare_user && opt_sandbox_gid != gid)
-    die ("Specifying --gid not compatible with --share-user");
+    die ("Specifying --gid requires --unshare-user");
 
   /* We need to read stuff from proc during the pivot_root dance, etc.
      Lets keep a fd to it open */
@@ -1240,7 +1241,7 @@ main (int argc,
       if (opt_unshare_user)
         {
           if (errno == EINVAL)
-            die ("Creating new namespace failed, likely because the kernel does not support user namespaces. Try without --unshare-user.");
+            die ("Creating new namespace failed, likely because the kernel does not support user namespaces.  bwrap must be installed setuid on such systems.");
           else if (errno == EPERM && !is_privileged)
             die ("No permissions to creating new namespace, likely because the kernel does not allow non-privileged user namespaces. On e.g. debian this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.");
         }
author	Colin Walters <walters@verbum.org>	2016-04-22 11:09:15 -0400
committer	Colin Walters (automation) <walters+githubbot@verbum.org>	2016-04-26 08:54:10 +0000
commit	c0725af71d9ae80968101842d6eb99b926693059 (patch)
tree	2e43a7720e55cfe789a1139ab2b823890337b37b
parent	7668e6e086a88e206d4d74d3541254a4ab3ecc46 (diff)
download	bubblewrap-c0725af71d9ae80968101842d6eb99b926693059.tar.gz