allow setgroups when using exclusively newgid
This commit is contained in:
parent
2ca90bf208
commit
1111bb135a
15
user.cc
15
user.cc
@ -77,12 +77,21 @@ static bool setResUid(uid_t uid) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool hasGidMapSelf(nsjconf_t* nsjconf) {
|
||||||
|
for (const auto& gid : nsjconf->gids) {
|
||||||
|
if (!gid.is_newidmap) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
static bool setGroupsDeny(nsjconf_t* nsjconf, pid_t pid) {
|
static bool setGroupsDeny(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
/*
|
/*
|
||||||
* No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to
|
* No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to
|
||||||
* uid_map/gid_map will succeed anyway
|
* uid_map/gid_map will succeed anyway
|
||||||
*/
|
*/
|
||||||
if (!nsjconf->clone_newuser || nsjconf->orig_euid == 0) {
|
if (!nsjconf->clone_newuser || nsjconf->orig_euid == 0 || !hasGidMapSelf(nsjconf)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -153,7 +162,7 @@ static bool gidMapSelf(nsjconf_t* nsjconf, pid_t pid) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Use /usr/bin/newgidmap for writing the gid map */
|
/* Use /usr/bin/newgidmap for writing the gid map */
|
||||||
static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
bool use = false;
|
bool use = false;
|
||||||
|
|
||||||
std::vector<std::string> argv = {"/usr/bin/newgidmap", std::to_string(pid)};
|
std::vector<std::string> argv = {"/usr/bin/newgidmap", std::to_string(pid)};
|
||||||
@ -179,7 +188,7 @@ static bool gidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Use /usr/bin/newuidmap for writing the uid map */
|
/* Use /usr/bin/newuidmap for writing the uid map */
|
||||||
static bool uidMapExternal(nsjconf_t* nsjconf, pid_t pid UNUSED) {
|
static bool uidMapExternal(nsjconf_t* nsjconf, pid_t pid) {
|
||||||
bool use = false;
|
bool use = false;
|
||||||
|
|
||||||
std::vector<std::string> argv = {"/usr/bin/newuidmap", std::to_string(pid)};
|
std::vector<std::string> argv = {"/usr/bin/newuidmap", std::to_string(pid)};
|
||||||
|
Loading…
Reference in New Issue
Block a user