commit 4e08550a87db30e09671dc1d00d69041c13e37f7
parent 630b4147e0f06003d35f1ae352d888ce73daeb63
Author: Brian Swetland <swetland@frotz.net>
Date: Tue, 5 May 2015 04:32:32 -0700
write to setgroups before gid_map if it exists to avoid EPERM
backwards-compatible variant of fix suggested by Aleksandr Dobkin:
https://github.com/adob/mkbox/commit/7608dcdfbf6a0df9572353b63d12d163e0408bd0
Information about setgroups here:
http://man7.org/linux/man-pages/man7/user_namespaces.7.html
Diffstat:
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/mkbox.c b/mkbox.c
@@ -203,12 +203,19 @@ int main(int argc, char **argv) {
ok(write, fd, buf, strlen(buf));
ok(close, fd);
+ /* must disallow setgroups() before writing to gid_map on
+ * versions of linux with this feature:
+ */
+ if ((fd = open("/proc/self/setgroups", O_WRONLY)) >= 0) {
+ ok(write, fd, "deny", 4);
+ ok(close, fd);
+ }
sprintf(buf, "%d %d 1\n", newgid, gid);
fd = ok(open, "/proc/self/gid_map", O_WRONLY);
ok(write, fd, buf, strlen(buf));
ok(close, fd);
- /* initially we're nobody, change to 3333 */
+ /* initially we're nobody, change to newgid/newuid */
ok(setresgid, newgid, newgid, newgid);
ok(setresuid, newuid, newuid, newuid);
