emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
e0e9e57a72
shadow/src/newgidmap.c

240 lines
6.0 KiB
C
Raw Normal View History

newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
/*
Update licensing info Closes #238 Update all files to list SPDX license shortname. Most files are BSD 3 clause license. The exceptions are: serge@sl ~/src/shadow$ git grep SPDX-License | grep -v BSD-3-Clause contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD libmisc/salt.c: * SPDX-License-Identifier: Unlicense src/login_nopam.c: * SPDX-License-Identifier: Unlicense src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-05 21:05:27 +05:30
* SPDX-FileCopyrightText: 2013 Eric Biederman
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
*
Update licensing info Closes #238 Update all files to list SPDX license shortname. Most files are BSD 3 clause license. The exceptions are: serge@sl ~/src/shadow$ git grep SPDX-License | grep -v BSD-3-Clause contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD libmisc/salt.c: * SPDX-License-Identifier: Unlicense src/login_nopam.c: * SPDX-License-Identifier: Unlicense src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-05 21:05:27 +05:30
* SPDX-License-Identifier: BSD-3-Clause
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
*/
#include <config.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdbool.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "defines.h"
#include "prototypes.h"
#include "subordinateio.h"
newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
2021-01-07 16:45:25 +05:30
#include "getdef.h"
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
#include "idmapping.h"
Make shadow_logfd and Prog not extern Closes #444 Closes #465 Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-11-29 05:07:53 +05:30
#include "shadowlog.h"
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
/*
* Global variables
*/
const char *Prog;
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
{
/* An empty range is invalid */
if (range->count == 0)
return false;
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
*allow_setgroups = true;
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
return true;
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
}
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
/* Allow a process to map its own gid. */
newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
2021-01-07 16:45:25 +05:30
if ((range->count == 1) && (getgid() == range->lower)) {
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
/* noop -- if setgroups is enabled already we won't disable it. */
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
return true;
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
}
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
return false;
}
static void verify_ranges(struct passwd *pw, int ranges,
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
struct map_range *mappings, bool *allow_setgroups)
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
{
struct map_range *mapping;
int idx;
mapping = mappings;
for (idx = 0; idx < ranges; idx++, mapping++) {
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
if (!verify_range(pw, mapping, allow_setgroups)) {
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
Prog,
mapping->upper,
mapping->upper + mapping->count,
mapping->lower,
mapping->lower + mapping->count);
exit(EXIT_FAILURE);
}
}
}
static void usage(void)
{
fprintf(stderr, _("usage: %s <pid> <gid> <lowergid> <count> [ <gid> <lowergid> <count> ] ... \n"), Prog);
exit(EXIT_FAILURE);
}
Declare file local functions static
2022-01-03 17:11:13 +05:30
static void write_setgroups(int proc_dir_fd, bool allow_setgroups)
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
{
int setgroups_fd;
Declare variable for string literal const newgidmap.c:87:16: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] 87 | policy = "deny\n"; | ^
2022-01-03 16:49:00 +05:30
const char *policy;
char policy_buffer[4096];
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
/*
* Default is "deny", and any "allow" will out-rank a "deny". We don't
* forcefully write an "allow" here because the process we are writing
* mappings for may have already set themselves to "deny" (and "allow"
* is the default anyway). So allow_setgroups == true is a noop.
*/
policy = "deny\n";
if (allow_setgroups)
return;
setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
if (setgroups_fd < 0) {
/*
* If it's an ENOENT then we are on too old a kernel for the setgroups
* code to exist. Emit a warning and bail on this.
*/
if (ENOENT == errno) {
fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
goto out;
}
fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
Prog,
strerror(errno));
exit(EXIT_FAILURE);
}
/*
* Check whether the policy is already what we want. /proc/self/setgroups
* is write-once, so attempting to write after it's already written to will
* fail.
*/
if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
Prog,
strerror(errno));
exit(EXIT_FAILURE);
}
if (!strncmp(policy_buffer, policy, strlen(policy)))
goto out;
/* Write the policy. */
if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
Prog,
strerror(errno));
exit(EXIT_FAILURE);
}
if (dprintf(setgroups_fd, "%s", policy) < 0) {
fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
Prog,
policy,
strerror(errno));
exit(EXIT_FAILURE);
}
out:
close(setgroups_fd);
}
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
/*
* newgidmap - Set the gid_map for the specified process
*/
int main(int argc, char **argv)
{
From: Svante Signell <svante.signell@gmail.com> Currently shadow fails to build from source and is flagged as out-of-date. This is due to a usage of PATH_MAX, which is not defined on GNU/Hurd. The attached patch solves this problem by allocating a fixed number of 32 bytes for the string proc_dir_name in files src/procuidmap.c and src/procgidmap.c. (In fact only 18 bytes are needed) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-27 03:18:56 +05:30
char proc_dir_name[32];
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
char *target_str;
remove unused variables parent, user_id, and group_id are unused. Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2019-10-13 06:27:12 +05:30
pid_t target;
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
int proc_dir_fd;
int ranges;
struct map_range *mappings;
struct stat st;
struct passwd *pw;
int written;
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
bool allow_setgroups = false;
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
Prog = Basename (argv[0]);
Make shadow_logfd and Prog not extern Closes #444 Closes #465 Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-11-29 05:07:53 +05:30
log_set_progname(Prog);
log_set_logfd(stderr);
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
/*
* The valid syntax are
* newgidmap target_pid
*/
if (argc < 2)
usage();
Fixed typos in new{g,u}idmap tools. Fixed small typos in manual pages and code comments. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2016-07-02 20:09:18 +05:30
/* Find the process that needs its user namespace
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
* gid mapping set.
*/
target_str = argv[1];
if (!get_pid(target_str, &target))
usage();
From: Svante Signell <svante.signell@gmail.com> Currently shadow fails to build from source and is flagged as out-of-date. This is due to a usage of PATH_MAX, which is not defined on GNU/Hurd. The attached patch solves this problem by allocating a fixed number of 32 bytes for the string proc_dir_name in files src/procuidmap.c and src/procgidmap.c. (In fact only 18 bytes are needed) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-27 03:18:56 +05:30
/* max string length is 6 + 10 + 1 + 1 = 18, allocate 32 bytes */
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
written = snprintf(proc_dir_name, sizeof(proc_dir_name), "/proc/%u/",
target);
Avoid comparisons of different signs Comparisons if different signedness can result in unexpected results. Add casts to ensure operants are of the same type. gettime.c: In function 'gettime': gettime.c:58:26: warning: comparison of integer expressions of different signedness: 'long long unsigned int' and 'time_t' {aka 'long int'} [-Wsign-compare] 58 | } else if (epoch > fallback) { | ^ Cast to time_t, since epoch is less than ULONG_MAX at this point. idmapping.c: In function 'write_mapping': idmapping.c:202:48: warning: comparison of integer expressions of different signedness: 'int' and 'long unsigned int' [-Wsign-compare] 202 | if ((written <= 0) || (written >= (bufsize - (pos - buf)))) { | ^~ newgidmap.c: In function ‘main’: newgidmap.c:178:40: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare] 178 | if ((written <= 0) || (written >= sizeof(proc_dir_name))) { | ^~ newuidmap.c: In function ‘main’: newuidmap.c:107:40: warning: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Wsign-compare] 107 | if ((written <= 0) || (written >= sizeof(proc_dir_name))) { | ^~
2023-01-24 20:35:20 +05:30
if ((written <= 0) || ((size_t)written >= sizeof(proc_dir_name))) {
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
fprintf(stderr, "%s: snprintf of proc path failed: %s\n",
Prog, strerror(errno));
}
proc_dir_fd = open(proc_dir_name, O_DIRECTORY);
if (proc_dir_fd < 0) {
fprintf(stderr, _("%s: Could not open proc directory for target %u\n"),
Prog, target);
return EXIT_FAILURE;
}
/* Who am i? */
pw = get_my_pwent ();
if (NULL == pw) {
fprintf (stderr,
_("%s: Cannot determine your user name.\n"),
Prog);
SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)",
(unsigned long) getuid ()));
return EXIT_FAILURE;
}
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
/* Get the effective uid and effective gid of the target process */
if (fstat(proc_dir_fd, &st) < 0) {
fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
Prog, target);
return EXIT_FAILURE;
}
/* Verify real user and real group matches the password entry
* and the effective user and group of the program whose
* mappings we have been asked to set.
*/
if ((getuid() != pw->pw_uid) ||
newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
2021-01-07 16:45:25 +05:30
(!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
(pw->pw_uid != st.st_uid) ||
newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
2021-01-07 16:45:25 +05:30
(getgid() != st.st_gid)) {
Expand the error message when newuidmap / newgidmap do not like the user/group ownership of their target process. Currently the error is just: newuidmap: Target [pid] is owned by a different user With this patch it will be like: newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99 Why is this useful? Well, in my case... The grsecurity kernel-hardening patch includes an option to make parts of /proc unreadable, such as /proc/pid/ dirs for processes not owned by the current uid. This comes with an option to make /proc/pid/ directories readable by a specific gid; sysadmins and the like are then put into that group so they can see a full 'ps'. This means that the check in new[ug]idmap fails, as in the above quoted error - /proc/[targetpid] is owned by root, but the group is 99 so that users in group 99 can see the process. Some Googling finds dozens of people hitting this problem, but not *knowing* that they have hit this problem, because the errors and circumstances are non-obvious. Some graceful way of handling this and not failing, will be next ;) But in the meantime it'd be nice to have new[ug]idmap emit a more useful error, so that it's easier to troubleshoot. Thanks! Signed-off-by: Hank Leininger <hlein@korelogic.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-04-06 18:52:48 +05:30
fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
Prog, target,
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
return EXIT_FAILURE;
}
if (!sub_gid_open(O_RDONLY)) {
return EXIT_FAILURE;
}
ranges = ((argc - 2) + 2) / 3;
mappings = get_map_ranges(ranges, argc - 2, argv + 2);
if (!mappings)
usage();
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
verify_ranges(pw, ranges, mappings, &allow_setgroups);
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
newgidmap: enforce setgroups=deny if self-mapping a group This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). We also don't write anything in the "allow" case because "allow" is the default, and users may have already written "deny" even if they technically are allowed to use setgroups. And we don't write anything if the setgroups policy is already "deny". Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Fixes: CVE-2018-7169 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-15 18:19:40 +05:30
write_setgroups(proc_dir_fd, allow_setgroups);
new[ug]idmap: not require CAP_SYS_ADMIN in the parent userNS if the euid!=owner of the userns, the kernel returns EPERM when trying to write the uidmap and there is no CAP_SYS_ADMIN in the parent namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-08 21:48:18 +05:30
write_mapping(proc_dir_fd, ranges, mappings, "gid_map", pw->pw_uid);
newuidmap,newgidmap: New suid helpers for using subordinate uids and gids Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-01-22 14:50:07 +05:30
sub_gid_close();
return EXIT_SUCCESS;
}
Reference in New Issue Copy Permalink