diff options
| author | Alexander Larsson <alexl@redhat.com> | 2019-11-21 18:25:35 +0100 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2019-11-21 18:32:42 +0100 |
| commit | f9f6127474591c8a4731d8b755a4670adcb83b9e (patch) | |
| tree | d9025055250352aab7aa1bc9919fb8f3b03d959a | |
| parent | 2b01f0653500ab9a212a2a3ba858d13f94783698 (diff) | |
| download | bubblewrap-f9f6127474591c8a4731d8b755a4670adcb83b9e.tar.gz | |
setuid mode: Properly drop privs in monitor and pid1
It turns out we have this check in drop_privs():
if (getuid () == 0 && setuid (opt_sandbox_uid) < 0)
Which is supposed to drop back to the regular uid in the case
we're in setuid mode and we're in the monitor_child() or do_init()
processes.
Unfortunately we're setuid, not plain root, so uid is not 0, but euid is zero.
This caused the monitoring processes to be running partially as root
which shows up weird in /proc.
Fix this by checking euid for 0 instead.
| -rw-r--r-- | bubblewrap.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index 1ec9d2b..645a3cf 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -822,7 +822,7 @@ drop_privs (bool keep_requested_caps) { assert (!keep_requested_caps || !is_privileged); /* Drop root uid */ - if (getuid () == 0 && setuid (opt_sandbox_uid) < 0) + if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0) die_with_error ("unable to drop root uid"); drop_all_caps (keep_requested_caps); |