diff options
| author | Alexander Larsson <alexl@redhat.com> | 2019-11-27 09:33:52 +0100 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2019-11-27 09:33:52 +0100 |
| commit | e9980e36fc045d4fc8ec24a817b5f820c882c743 (patch) | |
| tree | 41126a30d7c45d79ea8e43648c6b646e37c4e24e | |
| parent | d3c1c74c97b9b1ead622755b553d4e6015e6660c (diff) | |
| download | bubblewrap-e9980e36fc045d4fc8ec24a817b5f820c882c743.tar.gz | |
Allow --uid and --gid with --userns
This enables these options in this case and also ensures we set[ug]id
to the destination ids early in entering the namespace because
otherwise creating files during sandbox setup fails if the real user
id isn't mapped in the destination user namespace (and to make us
actually be that user/group).
| -rw-r--r-- | bubblewrap.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/bubblewrap.c b/bubblewrap.c index 1b75a48..f1feb5e 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -236,8 +236,8 @@ usage (int ecode, FILE *out) " --userns FD Use this user namespace (cannot combine with --unshare-user)\n" " --userns2 FD After setup switch to this user namspace, only useful with --userns\n" " --pidns FD Use this user namespace (as parent namespace if using --unshare-pid)\n" - " --uid UID Custom uid in the sandbox (requires --unshare-user)\n" - " --gid GID Custom gid in the sandbox (requires --unshare-user)\n" + " --uid UID Custom uid in the sandbox (requires --unshare-user or --userns)\n" + " --gid GID Custom gid in the sandbox (requires --unshare-user or --userns)\n" " --hostname NAME Custom hostname in the sandbox (requires --unshare-uts)\n" " --chdir DIR Change directory to DIR\n" " --setenv VAR VALUE Set an environment variable\n" @@ -808,6 +808,16 @@ switch_to_user_with_privs (void) if (opt_unshare_user || opt_userns_fd != -1) drop_cap_bounding_set (FALSE); + /* If we switched to a new user namespace it may allow other uids/gids, so switch to the target one */ + if (opt_userns_fd != -1) + { + if (setuid (opt_sandbox_uid) < 0) + die_with_error ("unable to switch to uid %d", opt_sandbox_uid); + + if (setgid (opt_sandbox_gid) < 0) + die_with_error ("unable to switch to gid %d", opt_sandbox_gid); + } + if (!is_privileged) return; @@ -2338,11 +2348,11 @@ main (int argc, if (opt_sandbox_gid == -1) opt_sandbox_gid = real_gid; - if (!opt_unshare_user && opt_sandbox_uid != real_uid) - die ("Specifying --uid requires --unshare-user"); + if (!opt_unshare_user && opt_userns_fd == -1 && opt_sandbox_uid != real_uid) + die ("Specifying --uid requires --unshare-user or --userns"); - if (!opt_unshare_user && opt_sandbox_gid != real_gid) - die ("Specifying --gid requires --unshare-user"); + if (!opt_unshare_user && opt_userns_fd == -1 && opt_sandbox_gid != real_gid) + die ("Specifying --gid requires --unshare-user or --userns"); if (!opt_unshare_uts && opt_sandbox_hostname != NULL) die ("Specifying --hostname requires --unshare-uts"); |