shadow/src
Aleksa Sarai fb28c99b8a
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.

This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).

We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".

Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Reported-by: Craig Furman <craig.furman89@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-02-16 17:56:35 +11:00
..
.gitignore Ignore generated newgidmap and newuidmap 2013-08-11 14:48:39 +02:00
.indent.pro [svn-upgrade] Integrating new upstream version, shadow (4.0.8) 2007-10-07 11:46:07 +00:00
chage.c Fixes mispelling of MAX_DAYS help text 2018-01-17 12:21:48 +00:00
chfn.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
chgpasswd.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
chpasswd.c Make the sp_lstchg shadow field reproducible. 2017-04-10 22:29:21 +01:00
chsh.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
expiry.c Fixed signal races in shadow tools. 2016-07-02 18:11:09 +02:00
faillog.c * src/faillog.c: The fail_max field is a short, use a short also 2011-11-19 21:44:34 +00:00
gpasswd.c Fixed signal races in shadow tools. 2016-07-02 18:11:09 +02:00
groupadd.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
groupdel.c Merge pull request #4 from xnox/master 2015-11-12 23:07:29 -06:00
groupmems.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
groupmod.c implement and document additional error codes for groupmod add E_CLEANUP_SERVICE, E_PAM_USERNAME, E_PAM_ERROR to groupmod.c and groupmod.8.xml 2017-07-10 21:50:49 -05:00
groups.c * src/newgrp.c, src/userdel.c, src/grpck.c, src/gpasswd.c, 2010-08-22 19:36:09 +00:00
grpck.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
grpconv.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
grpunconv.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
id.c * src/newgrp.c: Limit the scope of variable pid. 2010-03-23 11:26:34 +00:00
lastlog.c Add ability to clear or set lastlog record for user via lastlog command 2016-03-03 15:37:01 +01:00
login_nopam.c * src/newgrp.c: Limit the scope of variable pid. 2010-03-23 11:26:34 +00:00
login.c Fixed signal races in shadow tools. 2016-07-02 18:11:09 +02:00
logoutd.c * src/newgrp.c, src/userdel.c, src/grpck.c, src/gpasswd.c, 2010-08-22 19:36:09 +00:00
Makefile.am shadow: Add auditing support to su 2016-12-13 18:44:19 +02:00
newgidmap.c newgidmap: enforce setgroups=deny if self-mapping a group 2018-02-16 17:56:35 +11:00
newgrp.c newgrp: avoid unnecessary group lookups 2017-08-14 11:38:46 +02:00
newuidmap.c Fixed typos in new{g,u}idmap tools. 2016-07-02 16:39:18 +02:00
newusers.c Make the sp_lstchg shadow field reproducible. 2017-04-10 22:29:21 +01:00
nologin.c * src/nologin.c: Include <stdlib.h> to get EXIT_FAILURE. 2009-05-09 13:14:23 +00:00
passwd.c Make the sp_lstchg shadow field reproducible. 2017-04-10 22:29:21 +01:00
pwck.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
pwconv.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
pwunconv.c Do not fail on missing files in /etc/, create them instead. 2015-02-27 17:01:29 +00:00
su.c Reset pid_child only if waitpid was successful. 2017-05-14 17:58:10 +02:00
suauth.c * lib/prototypes.h, src/suauth.c, src/su.c (check_su_auth): Do not 2011-06-13 18:26:26 +00:00
sulogin.c Fixed signal races in shadow tools. 2016-07-02 18:11:09 +02:00
useradd.c Make the sp_lstchg shadow field reproducible. 2017-04-10 22:29:21 +01:00
userdel.c Make userdel to work with -R. 2017-12-21 09:12:58 +01:00
usermod.c Make language less binary 2017-09-20 17:00:29 +01:00
vipw.c Improve vipw error report when editor fails 2013-08-25 16:27:58 +02:00