newuidmap/newgidmap: install with file capabilities

do not install newuidmap/newgidmap as suid binaries. Running these tools with the same euid as the owner of the user namespace to configure requires only CAP_SETUID and CAP_SETGID instead of requiring CAP_SYS_ADMIN when it is installed as a suid binary. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2018-10-24 11:08:28 +02:00 · 2018-10-24 11:08:28 +02:00 · 70971457b7
commit 70971457b7
parent ff8b1ebafa
2 changed files with 22 additions and 0 deletions
--- a/configure.ac
+++ b/configure.ac
@ -600,6 +600,19 @@ if test "$enable_acct_tools_setuid" != "no"; then
 fi
 AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")

+
+AC_ARG_WITH(fcaps,
+	[AC_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
+	[with_fcaps=$withval], [with_fcaps=no])
+AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
+
+if test "x$with_fcaps" = "xyes"; then
+	AC_CHECK_PROGS(capcmd, "setcap")
+	if test "x$capcmd" = "x" ; then
+		AC_MSG_ERROR([setcap command not available])
+	fi
+fi
+
 AC_SUBST(LIBSKEY)
 AC_SUBST(LIBMD)
 if test "$with_skey" = "yes"; then
@ -684,4 +697,5 @@ echo "	SHA passwords encryption:	$with_sha_crypt"
 echo "	nscd support:			$with_nscd"
 echo "	sssd support:			$with_sssd"
 echo "	subordinate IDs support:	$enable_subids"
+echo "	use file caps:			$with_fcaps"
 echo
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -61,8 +61,10 @@ if ACCT_TOOLS_SETUID
 suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
 endif
 if ENABLE_SUBIDS
+if !FCAPS
 suidubins += newgidmap newuidmap
 endif
+endif

 if WITH_TCB
 shadowsgidubins = passwd
@ -138,3 +140,9 @@ if WITH_TCB
 		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
 endif
+if ENABLE_SUBIDS
+if FCAPS
+	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
+	setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
+endif
+endif