From 70971457b761cdd6cd507acfc935295b4f3f237f Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 24 Oct 2018 11:08:28 +0200
Subject: [PATCH] newuidmap/newgidmap: install with file capabilities

do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 configure.ac    | 14 ++++++++++++++
 src/Makefile.am |  8 ++++++++
 2 files changed, 22 insertions(+)

diff --git a/configure.ac b/configure.ac
index aaedf529..c2428056 100644
--- a/configure.ac
+++ b/configure.ac
@@ -600,6 +600,19 @@ if test "$enable_acct_tools_setuid" != "no"; then
 fi
 AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
 
+
+AC_ARG_WITH(fcaps,
+	[AC_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
+	[with_fcaps=$withval], [with_fcaps=no])
+AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
+
+if test "x$with_fcaps" = "xyes"; then
+	AC_CHECK_PROGS(capcmd, "setcap")
+	if test "x$capcmd" = "x" ; then
+		AC_MSG_ERROR([setcap command not available])
+	fi
+fi
+
 AC_SUBST(LIBSKEY)
 AC_SUBST(LIBMD)
 if test "$with_skey" = "yes"; then
@@ -684,4 +697,5 @@ echo "	SHA passwords encryption:	$with_sha_crypt"
 echo "	nscd support:			$with_nscd"
 echo "	sssd support:			$with_sssd"
 echo "	subordinate IDs support:	$enable_subids"
+echo "	use file caps:			$with_fcaps"
 echo
diff --git a/src/Makefile.am b/src/Makefile.am
index 3c98a8d3..19534dc6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -61,8 +61,10 @@ if ACCT_TOOLS_SETUID
 suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
 endif
 if ENABLE_SUBIDS
+if !FCAPS
 suidubins += newgidmap newuidmap
 endif
+endif
 
 if WITH_TCB
 shadowsgidubins = passwd
@@ -138,3 +140,9 @@ if WITH_TCB
 		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
 	done
 endif
+if ENABLE_SUBIDS
+if FCAPS
+	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
+	setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
+endif
+endif