From c464ec55709dc931ba2f24073b8b1a86d5209ab0 Mon Sep 17 00:00:00 2001
From: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
Date: Thu, 7 Jan 2021 12:15:25 +0100
Subject: [PATCH] newuidmap,newgidmap: Relax gid checking to allow running
 under alternative group ID

Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
---
 etc/login.defs  | 6 ++++++
 lib/getdef.c    | 1 +
 src/newgidmap.c | 7 ++++---
 src/newuidmap.c | 5 +++--
 4 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/etc/login.defs b/etc/login.defs
index 2eef4f20..b9409185 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -438,3 +438,9 @@ USERGROUPS_ENAB yes
 # missing.
 #
 #FORCE_SHADOW    yes
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes
diff --git a/lib/getdef.c b/lib/getdef.c
index 92683625..c3506473 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -160,6 +160,7 @@ static struct itemdef def_table[] = {
 	{"USE_TCB", NULL},
 #endif
 	{"FORCE_SHADOW", NULL},
+	{"GRANT_AUX_GROUP_SUBIDS", NULL},
 	{NULL, NULL}
 };
 
diff --git a/src/newgidmap.c b/src/newgidmap.c
index 7fcb459f..85b08055 100644
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -39,6 +39,7 @@
 #include "defines.h"
 #include "prototypes.h"
 #include "subordinateio.h"
+#include "getdef.h"
 #include "idmapping.h"
 
 /*
@@ -60,7 +61,7 @@ static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow
 	}
 
 	/* Allow a process to map its own gid. */
-	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
+	if ((range->count == 1) && (getgid() == range->lower)) {
 		/* noop -- if setgroups is enabled already we won't disable it. */
 		return true;
 	}
@@ -228,9 +229,9 @@ int main(int argc, char **argv)
 	 * mappings we have been asked to set.
 	 */
 	if ((getuid() != pw->pw_uid) ||
-	    (getgid() != pw->pw_gid) ||
+	    (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
 	    (pw->pw_uid != st.st_uid) ||
-	    (pw->pw_gid != st.st_gid)) {
+	    (getgid() != st.st_gid)) {
 		fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
 			Prog, target,
 			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
diff --git a/src/newuidmap.c b/src/newuidmap.c
index 55d84ba8..b8466de0 100644
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@@ -39,6 +39,7 @@
 #include "defines.h"
 #include "prototypes.h"
 #include "subordinateio.h"
+#include "getdef.h"
 #include "idmapping.h"
 
 /*
@@ -158,9 +159,9 @@ int main(int argc, char **argv)
 	 * mappings we have been asked to set.
 	 */
 	if ((getuid() != pw->pw_uid) ||
-	    (getgid() != pw->pw_gid) ||
+	    (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
 	    (pw->pw_uid != st.st_uid) ||
-	    (pw->pw_gid != st.st_gid)) {
+	    (getgid() != st.st_gid)) {
 		fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
 			Prog, target,
 			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,