diff options
author | Balint Reczey <balint.reczey@canonical.com> | 2019-06-23 22:06:37 +0200 |
---|---|---|
committer | Balint Reczey <balint.reczey@canonical.com> | 2019-06-23 22:06:37 +0200 |
commit | b28d45d2bd2462414b9dbbe38e6c7f3d5f7b462b (patch) | |
tree | 4b068e3513ef5c60228cddfcda72be0a31d09b14 /libmisc/idmapping.c | |
parent | b0729855e8fb744192a0395ea24673557818172c (diff) | |
download | shadow-b28d45d2bd2462414b9dbbe38e6c7f3d5f7b462b.tar.gz |
New upstream version 4.7upstream/4.7
Diffstat (limited to 'libmisc/idmapping.c')
-rw-r--r-- | libmisc/idmapping.c | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c index 20f2d9c7..aea94936 100644 --- a/libmisc/idmapping.c +++ b/libmisc/idmapping.c @@ -36,6 +36,10 @@ #include <stdio.h> #include "prototypes.h" #include "idmapping.h" +#include <sys/prctl.h> +#if HAVE_SYS_CAPABILITY_H +#include <sys/capability.h> +#endif struct map_range *get_map_ranges(int ranges, int argc, char **argv) { @@ -119,9 +123,23 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv) */ #define ULONG_DIGITS ((((sizeof(unsigned long) * CHAR_BIT) + 9)/10)*3) - +/* + * The ruid refers to the caller's uid and is used to reset the effective uid + * back to the callers real uid. + * This clutch mainly exists for setuid-based new{g,u}idmap binaries that are + * called in contexts where all capabilities other than the necessary + * CAP_SET{G,U}ID capabilities are dropped. Since the kernel will require + * assurance that the caller holds CAP_SYS_ADMIN over the target user namespace + * the only way it can confirm is in this case is if the effective uid is + * equivalent to the uid owning the target user namespace. + * Note, we only support this when a) new{g,u}idmap is not called by root and + * b) if the caller's uid and the uid retrieved via system appropriate means + * (shadow file or other) are identical. Specifically, this does not support + * when the root user calls the new{g,u}idmap binary for an unprivileged user. + * If this is wanted: use file capabilities! + */ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings, - const char *map_file) + const char *map_file, uid_t ruid) { int idx; struct map_range *mapping; @@ -129,6 +147,43 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings, char *buf, *pos; int fd; +#if HAVE_SYS_CAPABILITY_H + int cap; + struct __user_cap_header_struct hdr = {_LINUX_CAPABILITY_VERSION_3, 0}; + struct __user_cap_data_struct data[2] = {{0}}; + + if (strcmp(map_file, "uid_map") == 0) { + cap = CAP_SETUID; + } else if (strcmp(map_file, "gid_map") == 0) { + cap = CAP_SETGID; + } else { + fprintf(stderr, _("%s: Invalid map file %s specified\n"), Prog, map_file); + exit(EXIT_FAILURE); + } + + /* Align setuid- and fscaps-based new{g,u}idmap behavior. */ + if (geteuid() == 0 && geteuid() != ruid) { + if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) { + fprintf(stderr, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog); + exit(EXIT_FAILURE); + } + + if (seteuid(ruid) < 0) { + fprintf(stderr, _("%s: Could not seteuid to %d\n"), Prog, ruid); + exit(EXIT_FAILURE); + } + } + + /* Lockdown new{g,u}idmap by dropping all unneeded capabilities. */ + memset(data, 0, sizeof(data)); + data[0].effective = CAP_TO_MASK(cap); + data[0].permitted = data[0].effective; + if (capset(&hdr, data) < 0) { + fprintf(stderr, _("%s: Could not set caps\n"), Prog); + exit(EXIT_FAILURE); + } +#endif + bufsize = ranges * ((ULONG_DIGITS + 1) * 3); pos = buf = xmalloc(bufsize); |