diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2017-07-10 09:17:43 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-07-10 09:17:43 +0200 |
| commit | 12a4f9afe702b89c616610d3a29bf08257c6bace (patch) | |
| tree | bad36f9bd86ae61bf188186eab53c636b179dd67 | |
| parent | 9de9c871bf44b931c7a1bb66d3134e2deb811f88 (diff) | |
| download | busybox-w32-12a4f9afe702b89c616610d3a29bf08257c6bace.tar.gz busybox-w32-12a4f9afe702b89c616610d3a29bf08257c6bace.tar.bz2 busybox-w32-12a4f9afe702b89c616610d3a29bf08257c6bace.zip | |
libbb: do not die if setgid/setuid(real_id) on startup fails
Based on a patch from Steven McDonald <steven@steven-mcdonald.id.au>:
This makes 'unshare --user' work correctly in the case where the user's
shell is provided by busybox itself.
'unshare --user' creates a new user namespace without any uid mappings.
As a result, /bin/busybox is setuid nobody:nogroup within the
namespace, as that is the only user. However, since no uids are mapped,
attempting to call setgid/setuid fails, even though this would do
nothing:
$ unshare --user ./busybox.broken ash
ash: setgid: Invalid argument
'unshare --map-root-user' still works, but because Linux only allows
uid/gid mappings to be set up once, creating a root mapping makes such
a namespace useless for creating multi-user containers.
With this patch, setgid and setuid will not be called in the case where
they would do nothing, which is always the case inside a new user
namespace because all uids are effectively mapped to nobody:
$ id -u
1000
$ ls -lh busybox.fixed
-rwsr-xr-x 1 root root 826.2K May 21 00:33 busybox.fixed
$ unshare --user ./busybox.fixed ash
$ id -u
65534
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | libbb/appletlib.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/libbb/appletlib.c b/libbb/appletlib.c index df6584978..b9fbbd1f2 100644 --- a/libbb/appletlib.c +++ b/libbb/appletlib.c | |||
| @@ -681,8 +681,21 @@ static void check_suid(int applet_no) | |||
| 681 | if (geteuid()) | 681 | if (geteuid()) |
| 682 | bb_error_msg_and_die("must be suid to work properly"); | 682 | bb_error_msg_and_die("must be suid to work properly"); |
| 683 | } else if (APPLET_SUID(applet_no) == BB_SUID_DROP) { | 683 | } else if (APPLET_SUID(applet_no) == BB_SUID_DROP) { |
| 684 | xsetgid(rgid); /* drop all privileges */ | 684 | /* |
| 685 | xsetuid(ruid); | 685 | * Drop all privileges. |
| 686 | * | ||
| 687 | * Don't check for errors: in normal use, they are impossible, | ||
| 688 | * and in special cases, exiting is harmful. Example: | ||
| 689 | * 'unshare --user' when user's shell is also from busybox. | ||
| 690 | * | ||
| 691 | * 'unshare --user' creates a new user namespace without any | ||
| 692 | * uid mappings. Thus, busybox binary is setuid nobody:nogroup | ||
| 693 | * within the namespace, as that is the only user. However, | ||
| 694 | * since no uids are mapped, calls to setgid/setuid | ||
| 695 | * fail (even though they would do nothing). | ||
| 696 | */ | ||
| 697 | setgid(rgid); | ||
| 698 | setuid(ruid); | ||
| 686 | } | 699 | } |
| 687 | # if ENABLE_FEATURE_SUID_CONFIG | 700 | # if ENABLE_FEATURE_SUID_CONFIG |
| 688 | ret: ; | 701 | ret: ; |