newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID

Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
2021-01-07 12:15:25 +01:00 · 2021-01-07 12:15:25 +01:00 · c464ec5570
commit c464ec5570
parent ae169c4046
4 changed files with 14 additions and 5 deletions
--- a/etc/login.defs
+++ b/etc/login.defs
@ -438,3 +438,9 @@ USERGROUPS_ENAB yes
 # missing.
 #
 #FORCE_SHADOW    yes
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
--- a/lib/getdef.c
+++ b/lib/getdef.c
@ -160,6 +160,7 @@ static struct itemdef def_table[] = {
 	{"USE_TCB", NULL},
 #endif
 	{"FORCE_SHADOW", NULL},
+	{"GRANT_AUX_GROUP_SUBIDS", NULL},
 	{NULL, NULL}
 };

--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@ -39,6 +39,7 @@
 #include "defines.h"
 #include "prototypes.h"
 #include "subordinateio.h"
+#include "getdef.h"
 #include "idmapping.h"

 /*
@ -60,7 +61,7 @@ static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow
 	}

 	/* Allow a process to map its own gid. */
-	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
+	if ((range->count == 1) && (getgid() == range->lower)) {
 		/* noop -- if setgroups is enabled already we won't disable it. */
 		return true;
 	}
@ -228,9 +229,9 @@ int main(int argc, char **argv)
 	 * mappings we have been asked to set.
 	 */
 	if ((getuid() != pw->pw_uid) ||
-	    (getgid() != pw->pw_gid) ||
+	    (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
 	    (pw->pw_uid != st.st_uid) ||
-	    (pw->pw_gid != st.st_gid)) {
+	    (getgid() != st.st_gid)) {
 		fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
 			Prog, target,
 			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@ -39,6 +39,7 @@
 #include "defines.h"
 #include "prototypes.h"
 #include "subordinateio.h"
+#include "getdef.h"
 #include "idmapping.h"

 /*
@ -158,9 +159,9 @@ int main(int argc, char **argv)
 	 * mappings we have been asked to set.
 	 */
 	if ((getuid() != pw->pw_uid) ||
-	    (getgid() != pw->pw_gid) ||
+	    (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
 	    (pw->pw_uid != st.st_uid) ||
-	    (pw->pw_gid != st.st_gid)) {
+	    (getgid() != st.st_gid)) {
 		fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
 			Prog, target,
 			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,