idmap: always seteuid to the owner of the namespace
simplify the condition for setting the euid of the process. Now it is
always set when we are running as root, the issue was introduced with
the commit 52c081b02c
Changelog: 2018-11-24 - seh - enforce that euid only gets set to ruid if
it currently == 0 (i.e. really was setuid-*root*).
Closes: https://github.com/genuinetools/img/issues/191
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
This commit is contained in:
parent
42324e5017
commit
59c2dabb26
@ -161,14 +161,8 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
|
|||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (capget(&hdr, data) < 0) {
|
|
||||||
fprintf(stderr, _("%s: Could not get capabilities\n"), Prog);
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Align setuid- and fscaps-based new{g,u}idmap behavior. */
|
/* Align setuid- and fscaps-based new{g,u}idmap behavior. */
|
||||||
if (!(data[0].effective & CAP_TO_MASK(CAP_SYS_ADMIN)) && ruid != 0 &&
|
if (geteuid() == 0 && geteuid() != ruid) {
|
||||||
ruid == getuid() && ruid != geteuid()) {
|
|
||||||
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
|
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
|
||||||
fprintf(stderr, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog);
|
fprintf(stderr, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog);
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
|
Loading…
Reference in New Issue
Block a user