Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

userns: Allow setting gid_maps without privilege when setgroups is disabled

Now that setgroups can be disabled and not reenabled, setting gid_map
without privielge can now be enabled when setgroups is disabled.

This restores most of the functionality that was lost when unprivileged
setting of gid_map was removed.  Applications that use this functionality
will need to check to see if they use setgroups or init_groups, and if they
don't they can be fixed by simply disabling setgroups before writing to
gid_map.

Cc: stable@vger.kernel.org
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Eric W. Biederman 10 years ago
parent
9cc46516dd
commit
66d2f338ee
1 changed files with 5 additions and 0 deletions
Unified View Show Diff Stats
  1. 5 0
      kernel/user_namespace.c

+ 5 - 0
kernel/user_namespace.c
View File 

@@ -826,6 +826,11 @@ static bool new_idmap_permitted(const struct file *file,
 
 			kuid_t uid = make_kuid(ns->parent, id);
 
 			kuid_t uid = make_kuid(ns->parent, id);
 
 			if (uid_eq(uid, cred->euid))
 
 			if (uid_eq(uid, cred->euid))
 
 				return true;
 
 				return true;
 
+		} else if (cap_setid == CAP_SETGID) {
 
+			kgid_t gid = make_kgid(ns->parent, id);
 
+			if (!(ns->flags & USERNS_SETGROUPS_ALLOWED) &&
 
+			    gid_eq(gid, cred->egid))
 
+				return true;
 
 		}
 
 		}
 
 	}
 
 	}