[CFT][PATCH 7/7] userns: Allow setting gid_maps without privilege when setgroups is disabled

Andy Lutomirski luto at amacapital.net
Mon Dec 8 22:26:44 UTC 2014


On Mon, Dec 8, 2014 at 2:14 PM, Eric W. Biederman <ebiederm at xmission.com> wrote:
>
> Now that setgroups can be disabled and not reenabled, setting gid_map
> without privielge can now be enabled when setgroups is disabled.
>
> This restores most of the functionality that was lost when unprivilege

unprivileged.

> setting of gid_map was removed.  Applications that use this
> functionality will need to check to see if they use setgroups or
> init_groups, and if they don't they can be fixed by simply
> disabling of setgroups before they run.

"disabling setgroups before writing to gid_map"?

The code is:

Reviewed-by: Andy Lutomirski <luto at amacapital.net>

>
> Cc: stable at vger.kernel.org
> Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
> ---
>  kernel/user_namespace.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 3d128f91ced3..459c7f647072 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -828,6 +828,11 @@ static bool new_idmap_permitted(const struct file *file,
>                         kuid_t uid = make_kuid(ns->parent, id);
>                         if (uid_eq(uid, cred->euid))
>                                 return true;
> +               } else if (cap_setid == CAP_SETGID) {
> +                       kgid_t gid = make_kgid(ns->parent, id);
> +                       if (!userns_setgroups_allowed(ns) &&
> +                           gid_eq(gid, cred->egid))
> +                               return true;
>                 }
>         }
>
> --
> 1.9.1
>



-- 
Andy Lutomirski
AMA Capital Management, LLC


More information about the Containers mailing list