[PATCH] libbb: Only setgid/setuid when necessary
Steven McDonald
steven at steven-mcdonald.id.au
Sat May 20 22:57:54 UTC 2017
This makes 'unshare --user' work correctly in the case where the user's
shell is provided by busybox itself.
'unshare --user' creates a new user namespace without any uid mappings.
As a result, /bin/busybox is setuid nobody:nogroup within the
namespace, as that is the only user. However, since no uids are mapped,
attempting to call setgid/setuid fails, even though this would do
nothing:
$ unshare --user ./busybox.broken ash
ash: setgid: Invalid argument
'unshare --map-root-user' still works, but because Linux only allows
uid/gid mappings to be set up once, creating a root mapping makes such
a namespace useless for creating multi-user containers.
With this patch, setgid and setuid will not be called in the case where
they would do nothing, which is always the case inside a new user
namespace because all uids are effectively mapped to nobody:
$ id -u
1000
$ ls -lh busybox.fixed
-rwsr-xr-x 1 root root 826.2K May 21 00:33 busybox.fixed
$ unshare --user ./busybox.fixed ash
$ id -u
65534
---
libbb/appletlib.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libbb/appletlib.c b/libbb/appletlib.c
index 7f0d62060..25831a420 100644
--- a/libbb/appletlib.c
+++ b/libbb/appletlib.c
@@ -670,8 +670,11 @@ static void check_suid(int applet_no)
if (geteuid())
bb_error_msg_and_die("must be suid to work properly");
} else if (APPLET_SUID(applet_no) == BB_SUID_DROP) {
- xsetgid(rgid); /* drop all privileges */
- xsetuid(ruid);
+ /* drop all privileges */
+ if (getegid() != rgid)
+ xsetgid(rgid);
+ if (geteuid() != ruid)
+ xsetuid(ruid);
}
# if ENABLE_FEATURE_SUID_CONFIG
ret: ;
--
2.13.0
More information about the busybox
mailing list