newuidmap/newgidmap: install with file capabilities
do not install newuidmap/newgidmap as suid binaries. Running these tools with the same euid as the owner of the user namespace to configure requires only CAP_SETUID and CAP_SETGID instead of requiring CAP_SYS_ADMIN when it is installed as a suid binary. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
@@ -61,8 +61,10 @@ if ACCT_TOOLS_SETUID
|
||||
suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
|
||||
endif
|
||||
if ENABLE_SUBIDS
|
||||
if !FCAPS
|
||||
suidubins += newgidmap newuidmap
|
||||
endif
|
||||
endif
|
||||
|
||||
if WITH_TCB
|
||||
shadowsgidubins = passwd
|
||||
@@ -138,3 +140,9 @@ if WITH_TCB
|
||||
chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
|
||||
done
|
||||
endif
|
||||
if ENABLE_SUBIDS
|
||||
if FCAPS
|
||||
setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
|
||||
setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
|
||||
endif
|
||||
endif
|
||||
|
||||
Reference in New Issue
Block a user