mkbox

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README

commit 4e08550a87db30e09671dc1d00d69041c13e37f7
parent 630b4147e0f06003d35f1ae352d888ce73daeb63
Author: Brian Swetland <swetland@frotz.net>
Date:   Tue,  5 May 2015 04:32:32 -0700

write to setgroups before gid_map if it exists to avoid EPERM

backwards-compatible variant of fix suggested by Aleksandr Dobkin:
https://github.com/adob/mkbox/commit/7608dcdfbf6a0df9572353b63d12d163e0408bd0

Information about setgroups here:
http://man7.org/linux/man-pages/man7/user_namespaces.7.html

Diffstat:
Mmkbox.c | 9++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mkbox.c b/mkbox.c @@ -203,12 +203,19 @@ int main(int argc, char **argv) { ok(write, fd, buf, strlen(buf)); ok(close, fd); + /* must disallow setgroups() before writing to gid_map on + * versions of linux with this feature: + */ + if ((fd = open("/proc/self/setgroups", O_WRONLY)) >= 0) { + ok(write, fd, "deny", 4); + ok(close, fd); + } sprintf(buf, "%d %d 1\n", newgid, gid); fd = ok(open, "/proc/self/gid_map", O_WRONLY); ok(write, fd, buf, strlen(buf)); ok(close, fd); - /* initially we're nobody, change to 3333 */ + /* initially we're nobody, change to newgid/newuid */ ok(setresgid, newgid, newgid, newgid); ok(setresuid, newuid, newuid, newuid);