New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[merged] random fixes #117
Conversation
@@ -518,7 +518,7 @@ switch_to_user_with_privs (void) | |||
if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) | |||
die_with_error ("prctl(PR_SET_KEEPCAPS) failed"); | |||
|
|||
if (setuid (real_uid) < 0) | |||
if (setuid (opt_sandbox_uid) < 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, we're not currently validating that opt_sandbox_uid
being set requires --unshare-user
AFAICS. Which I think means this could be used to gain uid 0 in the host userns, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if --uid
was not specified (which is allowed only with --unshare-user
), then opt_sandbox_uid
is set to real_uid
in main
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do:
if (!opt_unshare_user && opt_sandbox_uid != real_uid)
die ("Specifying --uid requires --unshare-user");
Which looks ok to me.
die ("Unable to set fsuid (was %d)", (int)new_fsid); | ||
|
||
if (setfsgid (real_gid) < 0) | ||
die_with_error ("Unable to set fsgid"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand this. The binary is not setgid, only setuid, so it should have the right gid always. What exactly happens that make this a problem?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am going to drop this patch as we discussed on IRC.
For the record, it was an error on my side as I was using "chmod +s" instead of "chmod u+s" for testing locally the bwrap executable
since we set uid after we are in the new namespace, use the uid in the new user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
🙀 |
🙀 |
🙀 |
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #117 Approved by: alexlarsson
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #117 Approved by: alexlarsson
☀️ Test successful - status-redhatci |
No description provided.