[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    [PATCH] libbb: Only setgid/setuid when necessary
From:       Steven McDonald <steven () steven-mcdonald ! id ! au>
Date:       2017-05-20 22:57:54
Message-ID: 20170520225754.3183-1-steven () steven-mcdonald ! id ! au
[Download RAW message or body]

This makes 'unshare --user' work correctly in the case where the user's
shell is provided by busybox itself.

'unshare --user' creates a new user namespace without any uid mappings.
As a result, /bin/busybox is setuid nobody:nogroup within the
namespace, as that is the only user. However, since no uids are mapped,
attempting to call setgid/setuid fails, even though this would do
nothing:

  $ unshare --user ./busybox.broken ash
  ash: setgid: Invalid argument

'unshare --map-root-user' still works, but because Linux only allows
uid/gid mappings to be set up once, creating a root mapping makes such
a namespace useless for creating multi-user containers.

With this patch, setgid and setuid will not be called in the case where
they would do nothing, which is always the case inside a new user
namespace because all uids are effectively mapped to nobody:

  $ id -u
  1000
  $ ls -lh busybox.fixed
  -rwsr-xr-x    1 root     root      826.2K May 21 00:33 busybox.fixed
  $ unshare --user ./busybox.fixed ash
  $ id -u
  65534
---
 libbb/appletlib.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libbb/appletlib.c b/libbb/appletlib.c
index 7f0d62060..25831a420 100644
--- a/libbb/appletlib.c
+++ b/libbb/appletlib.c
@@ -670,8 +670,11 @@ static void check_suid(int applet_no)
 		if (geteuid())
 			bb_error_msg_and_die("must be suid to work properly");
 	} else if (APPLET_SUID(applet_no) == BB_SUID_DROP) {
-		xsetgid(rgid);  /* drop all privileges */
-		xsetuid(ruid);
+		/* drop all privileges */
+		if (getegid() != rgid)
+			xsetgid(rgid);
+		if (geteuid() != ruid)
+			xsetuid(ruid);
 	}
 #  if ENABLE_FEATURE_SUID_CONFIG
  ret: ;
-- 
2.13.0

_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic