From 59c2dabb264ef7b3137f5edb52c0b31d5af0cf76 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Tue, 20 Nov 2018 20:43:43 +0100 Subject: [PATCH] idmap: always seteuid to the owner of the namespace simplify the condition for setting the euid of the process. Now it is always set when we are running as root, the issue was introduced with the commit 52c081b02c4ca4432330ee336a60f6f803431e63 Changelog: 2018-11-24 - seh - enforce that euid only gets set to ruid if it currently == 0 (i.e. really was setuid-*root*). Closes: https://github.com/genuinetools/img/issues/191 Signed-off-by: Giuseppe Scrivano Signed-off-by: Serge Hallyn --- libmisc/idmapping.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c index d6ff6671..aea94936 100644 --- a/libmisc/idmapping.c +++ b/libmisc/idmapping.c @@ -161,14 +161,8 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings, exit(EXIT_FAILURE); } - if (capget(&hdr, data) < 0) { - fprintf(stderr, _("%s: Could not get capabilities\n"), Prog); - exit(EXIT_FAILURE); - } - /* Align setuid- and fscaps-based new{g,u}idmap behavior. */ - if (!(data[0].effective & CAP_TO_MASK(CAP_SYS_ADMIN)) && ruid != 0 && - ruid == getuid() && ruid != geteuid()) { + if (geteuid() == 0 && geteuid() != ruid) { if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) { fprintf(stderr, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog); exit(EXIT_FAILURE);