diff options
author | Christian Brauner <christian.brauner@ubuntu.com> | 2017-11-18 16:22:01 +0100 |
---|---|---|
committer | Christian Brauner <christian.brauner@ubuntu.com> | 2017-11-18 16:23:01 +0100 |
commit | ea69a5c87498ba94eb804ab628000ecfc50d6710 (patch) | |
tree | cd01246f639c4b6a25d9f7793319fc2e004a07bc | |
parent | 8db7f48cb74670829df037b2d037df3f36b71ecd (diff) | |
download | glibc-ea69a5c87498ba94eb804ab628000ecfc50d6710.tar.gz glibc-ea69a5c87498ba94eb804ab628000ecfc50d6710.tar.xz glibc-ea69a5c87498ba94eb804ab628000ecfc50d6710.zip |
support_become_root: Don't fail when /proc/<pid/setgroups is missing
The requirement to write "deny" to /proc/<pid>/setgroups for a given user namespace before being able to write a gid mapping was introduced in Linux 3.19. Before that this requirement including the file did not exist. So don't fail when errno == ENOENT.
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | support/support_become_root.c | 21 |
2 files changed, 21 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog index b78f6722e2..5e3d174a5e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2017-11-18 Christian Brauner <christian.brauner@ubuntu.com> + + * support/support_become_root.c (setup_uid_gid_mapping): Don't fail + when /proc/<pid>/setgroups does not exist. + 2017-11-18 Florian Weimer <fweimer@redhat.com> * sysdeps/unix/sysv/linux/tst-ttyname.c diff --git a/support/support_become_root.c b/support/support_become_root.c index 5086570251..e45c939421 100644 --- a/support/support_become_root.c +++ b/support/support_become_root.c @@ -18,6 +18,7 @@ #include <support/namespace.h> +#include <errno.h> #include <fcntl.h> #include <sched.h> #include <stdio.h> @@ -50,11 +51,21 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid) xwrite (fd, buf, ret); xclose (fd); - /* Disable setgroups before mapping groups, otherwise that would - fail with EPERM. */ - fd = xopen ("/proc/self/setgroups", O_WRONLY, 0); - xwrite (fd, "deny\n", strlen ("deny\n")); - xclose (fd); + /* Linux 3.19 introduced the setgroups file. We need write "deny" to this + * file otherwise writing to gid_map will fail with EPERM. */ + fd = open64 ("/proc/self/setgroups", O_WRONLY, 0); + if (fd < 0) + { + if (errno != ENOENT) + FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m", + O_WRONLY, 0); + /* This kernel doesn't expose the setgroups file so simply move on. */ + } + else + { + xwrite (fd, "deny\n", strlen ("deny\n")); + xclose (fd); + } /* Now map our own GID, like we did for the user ID. */ fd = xopen ("/proc/self/gid_map", O_WRONLY, 0); |