Expand the error message when newuidmap / newgidmap do not like the user/group ownership of their target process.
Currently the error is just: newuidmap: Target [pid] is owned by a different user With this patch it will be like: newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99 Why is this useful? Well, in my case... The grsecurity kernel-hardening patch includes an option to make parts of /proc unreadable, such as /proc/pid/ dirs for processes not owned by the current uid. This comes with an option to make /proc/pid/ directories readable by a specific gid; sysadmins and the like are then put into that group so they can see a full 'ps'. This means that the check in new[ug]idmap fails, as in the above quoted error - /proc/[targetpid] is owned by root, but the group is 99 so that users in group 99 can see the process. Some Googling finds dozens of people hitting this problem, but not *knowing* that they have hit this problem, because the errors and circumstances are non-obvious. Some graceful way of handling this and not failing, will be next ;) But in the meantime it'd be nice to have new[ug]idmap emit a more useful error, so that it's easier to troubleshoot. Thanks! Signed-off-by: Hank Leininger <hlein@korelogic.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
parent
464456fa31
commit
884895ae25
@ -161,8 +161,10 @@ int main(int argc, char **argv)
|
|||||||
(getgid() != pw->pw_gid) ||
|
(getgid() != pw->pw_gid) ||
|
||||||
(pw->pw_uid != st.st_uid) ||
|
(pw->pw_uid != st.st_uid) ||
|
||||||
(pw->pw_gid != st.st_gid)) {
|
(pw->pw_gid != st.st_gid)) {
|
||||||
fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
|
fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
|
||||||
Prog, target);
|
Prog, target,
|
||||||
|
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
|
||||||
|
(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -161,8 +161,10 @@ int main(int argc, char **argv)
|
|||||||
(getgid() != pw->pw_gid) ||
|
(getgid() != pw->pw_gid) ||
|
||||||
(pw->pw_uid != st.st_uid) ||
|
(pw->pw_uid != st.st_uid) ||
|
||||||
(pw->pw_gid != st.st_gid)) {
|
(pw->pw_gid != st.st_gid)) {
|
||||||
fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
|
fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
|
||||||
Prog, target);
|
Prog, target,
|
||||||
|
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
|
||||||
|
(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user