newuidmap/newgidmap: install with file capabilities

do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano 2018-10-24 11:08:28 +02:00
parent ff8b1ebafa
commit 70971457b7
No known key found for this signature in database
GPG Key ID: E4730F97F60286ED
2 changed files with 22 additions and 0 deletions

View File

@ -600,6 +600,19 @@ if test "$enable_acct_tools_setuid" != "no"; then
fi fi
AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes") AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
AC_ARG_WITH(fcaps,
[AC_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
[with_fcaps=$withval], [with_fcaps=no])
AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
if test "x$with_fcaps" = "xyes"; then
AC_CHECK_PROGS(capcmd, "setcap")
if test "x$capcmd" = "x" ; then
AC_MSG_ERROR([setcap command not available])
fi
fi
AC_SUBST(LIBSKEY) AC_SUBST(LIBSKEY)
AC_SUBST(LIBMD) AC_SUBST(LIBMD)
if test "$with_skey" = "yes"; then if test "$with_skey" = "yes"; then
@ -684,4 +697,5 @@ echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd" echo " nscd support: $with_nscd"
echo " sssd support: $with_sssd" echo " sssd support: $with_sssd"
echo " subordinate IDs support: $enable_subids" echo " subordinate IDs support: $enable_subids"
echo " use file caps: $with_fcaps"
echo echo

View File

@ -61,8 +61,10 @@ if ACCT_TOOLS_SETUID
suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
endif endif
if ENABLE_SUBIDS if ENABLE_SUBIDS
if !FCAPS
suidubins += newgidmap newuidmap suidubins += newgidmap newuidmap
endif endif
endif
if WITH_TCB if WITH_TCB
shadowsgidubins = passwd shadowsgidubins = passwd
@ -138,3 +140,9 @@ if WITH_TCB
chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \ chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
done done
endif endif
if ENABLE_SUBIDS
if FCAPS
setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
endif
endif