[prev in list] [next in list] [prev in thread] [next in thread]
List: pkg-shadow-devel
Subject: [Pkg-shadow-devel] [PATCH] new?idmap: verbose error when uid/gid do not match
From: Hank Leininger <hlein () korelogic ! com>
Date: 2015-03-25 5:15:00
Message-ID: 20150325010405.e99d622e-085c-439f-95de-b3aea0bb071d () korelogic ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Below is a patch that expands the error message when newuidmap /
newgidmap do not like the user/group ownership of their target process.
Currently the error is just:
newuidmap: Target [pid] is owned by a different user
With this patch it will be like:
newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 \
pw_gid:0 st_gid:99
Why is this useful? Well, in my case...
The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid. This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.
This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.
Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.
Some graceful way of handling this and not failing, will be next ;) But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.
Thanks!
Signed-off-by: Hank Leininger <hlein@korelogic.com>
---
diff -urP shadow-4.2.1.orig/src/newgidmap.c shadow-4.2.1/src/newgidmap.c
--- shadow-4.2.1.orig/src/newgidmap.c 2014-03-01 13:59:51.000000000 -0500
+++ shadow-4.2.1/src/newgidmap.c 2015-03-25 00:37:39.074144574 -0400
@@ -160,8 +160,10 @@
(getgid() != pw->pw_gid) ||
(pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) {
- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
- Prog, target);
+ fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu \
st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), + Prog, target,
+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long \
int)st.st_uid, + (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, \
(unsigned long int)st.st_gid); return EXIT_FAILURE;
}
diff -urP shadow-4.2.1.orig/src/newuidmap.c shadow-4.2.1/src/newuidmap.c
--- shadow-4.2.1.orig/src/newuidmap.c 2014-03-01 13:59:51.000000000 -0500
+++ shadow-4.2.1/src/newuidmap.c 2015-03-25 00:36:56.138141710 -0400
@@ -160,8 +160,10 @@
(getgid() != pw->pw_gid) ||
(pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) {
- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
- Prog, target);
+ fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu \
pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), + Prog, target,
+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long \
int)st.st_uid, + (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, \
(unsigned long int)st.st_gid); return EXIT_FAILURE;
}
["signature.asc" (application/pgp-signature)]
_______________________________________________
Pkg-shadow-devel mailing list
Pkg-shadow-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic