emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID

Browse Source 
Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>
This commit is contained in:
Martijn de Gouw 2021-01-07 12:15:25 +01:00
parent ae169c4046
commit c464ec5570
4 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
etc/login.defs
View File

@ -438,3 +438,9 @@ USERGROUPS_ENAB yes
# missing. # missing.
# #
#FORCE_SHADOW yes #FORCE_SHADOW yes
#
# Allow newuidmap and newgidmap when running under an alternative
# primary group.
#
#GRANT_AUX_GROUP_SUBIDS yes

1
lib/getdef.c
View File

@ -160,6 +160,7 @@ static struct itemdef def_table[] = {
{"USE_TCB", NULL}, {"USE_TCB", NULL},
#endif #endif
{"FORCE_SHADOW", NULL}, {"FORCE_SHADOW", NULL},
{"GRANT_AUX_GROUP_SUBIDS", NULL},
{NULL, NULL} {NULL, NULL}
}; };

7
src/newgidmap.c
View File

@ -39,6 +39,7 @@
#include "defines.h" #include "defines.h"
#include "prototypes.h" #include "prototypes.h"
#include "subordinateio.h" #include "subordinateio.h"
#include "getdef.h"
#include "idmapping.h" #include "idmapping.h"
/* /*
@ -60,7 +61,7 @@ static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow
} }
/* Allow a process to map its own gid. */ /* Allow a process to map its own gid. */
if ((range->count == 1) && (pw->pw_gid == range->lower)) { if ((range->count == 1) && (getgid() == range->lower)) {
/* noop -- if setgroups is enabled already we won't disable it. */ /* noop -- if setgroups is enabled already we won't disable it. */
return true; return true;
} }
@ -228,9 +229,9 @@ int main(int argc, char **argv)
* mappings we have been asked to set. * mappings we have been asked to set.
*/ */
if ((getuid() != pw->pw_uid) || if ((getuid() != pw->pw_uid) ||
(getgid() != pw->pw_gid) || (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
(pw->pw_uid != st.st_uid) || (pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) { (getgid() != st.st_gid)) {
fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
Prog, target, Prog, target,
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,

5
src/newuidmap.c
View File

@ -39,6 +39,7 @@
#include "defines.h" #include "defines.h"
#include "prototypes.h" #include "prototypes.h"
#include "subordinateio.h" #include "subordinateio.h"
#include "getdef.h"
#include "idmapping.h" #include "idmapping.h"
/* /*
@ -158,9 +159,9 @@ int main(int argc, char **argv)
* mappings we have been asked to set. * mappings we have been asked to set.
*/ */
if ((getuid() != pw->pw_uid) || if ((getuid() != pw->pw_uid) ||
(getgid() != pw->pw_gid) || (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
(pw->pw_uid != st.st_uid) || (pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) { (getgid() != st.st_gid)) {
fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
Prog, target, Prog, target,
(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,