diff options
author | Alexander Larsson <alexander.larsson@gmail.com> | 2020-03-30 15:08:41 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-30 15:08:41 +0200 |
commit | 1f7e2ad948c051054b683461885a0215f1806240 (patch) | |
tree | 3fb582b4ed1859523875f19ca1972bdedf0d05dc | |
parent | 38dd7e4bb863f0035c1fcc6d27291ecea0fe103f (diff) | |
parent | 6f815ceeadd2728903b83f227945769c582e5c74 (diff) | |
download | bubblewrap-1f7e2ad948c051054b683461885a0215f1806240.tar.gz |
Merge pull request from GHSA-j2qp-rvxj-43vj
Fix setuid vulnerability
-rw-r--r-- | bubblewrap.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index 3b6b645..b3d52bc 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -837,11 +837,13 @@ switch_to_user_with_privs (void) /* Call setuid() and use capset() to adjust capabilities */ static void -drop_privs (bool keep_requested_caps) +drop_privs (bool keep_requested_caps, + bool already_changed_uid) { assert (!keep_requested_caps || !is_privileged); /* Drop root uid */ - if (geteuid () == 0 && setuid (opt_sandbox_uid) < 0) + if (is_privileged && !already_changed_uid && + setuid (opt_sandbox_uid) < 0) die_with_error ("unable to drop root uid"); drop_all_caps (keep_requested_caps); @@ -2299,6 +2301,9 @@ main (int argc, if (opt_userns_fd != -1 && is_privileged) die ("--userns doesn't work in setuid mode"); + if (opt_userns2_fd != -1 && is_privileged) + die ("--userns2 doesn't work in setuid mode"); + /* We have to do this if we weren't installed setuid (and we're not * root), so let's just DWIM */ if (!is_privileged && getuid () != 0 && opt_userns_fd == -1) @@ -2502,7 +2507,7 @@ main (int argc, die_with_error ("Setting userns2 failed"); /* We don't need any privileges in the launcher, drop them immediately. */ - drop_privs (FALSE); + drop_privs (FALSE, FALSE); /* Optionally bind our lifecycle to that of the parent */ handle_die_with_parent (); @@ -2677,7 +2682,7 @@ main (int argc, if (child == 0) { /* Unprivileged setup process */ - drop_privs (FALSE); + drop_privs (FALSE, TRUE); close (privsep_sockets[0]); setup_newroot (opt_unshare_pid, privsep_sockets[1]); exit (0); @@ -2775,7 +2780,7 @@ main (int argc, } /* All privileged ops are done now, so drop caps we don't need */ - drop_privs (!is_privileged); + drop_privs (!is_privileged, TRUE); if (opt_block_fd != -1) { |