newuidmap,newgidmap: Relax gid checking to allow running under alternative group ID

Signed-off-by: Martijn de Gouw <martijn.de.gouw@prodrive-technologies.com>

diff --git a/etc/login.defs b/etc/login.defs
index 2eef4f2081c5d5fa5e2f5a7e24bd0dae7dba9d0c..b94091851e2fd36fcccdaf3426f244222aa080d4 100644 (file)
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -438,3 +438,9 @@ USERGROUPS_ENAB yes
 # missing.
 #
 #FORCE_SHADOW    yes
+
+#
+# Allow newuidmap and newgidmap when running under an alternative
+# primary group.
+#
+#GRANT_AUX_GROUP_SUBIDS yes

diff --git a/lib/getdef.c b/lib/getdef.c
index 926836257db8d303c48d634aab0382e86bf9c840..c35064735bc8961b56b011362c781e69d76fb341 100644 (file)
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -160,6 +160,7 @@ static struct itemdef def_table[] = {
        {"USE_TCB", NULL},
 #endif
        {"FORCE_SHADOW", NULL},
+       {"GRANT_AUX_GROUP_SUBIDS", NULL},
        {NULL, NULL}
 };
 

diff --git a/src/newgidmap.c b/src/newgidmap.c
index 7fcb459fb7f0f318c47682e4ea82e49dc11a12bd..85b08055d186842c60e9b7f078865087ae707b63 100644 (file)
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -39,6 +39,7 @@
 #include "defines.h"
 #include "prototypes.h"
 #include "subordinateio.h"
+#include "getdef.h"
 #include "idmapping.h"
 
 /*
@@ -60,7 +61,7 @@ static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow
        }
 
        /* Allow a process to map its own gid. */
-       if ((range->count == 1) && (pw->pw_gid == range->lower)) {
+       if ((range->count == 1) && (getgid() == range->lower)) {
                /* noop -- if setgroups is enabled already we won't disable it. */
                return true;
        }
@@ -228,9 +229,9 @@ int main(int argc, char **argv)
         * mappings we have been asked to set.
         */
        if ((getuid() != pw->pw_uid) ||
-           (getgid() != pw->pw_gid) ||
+           (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
            (pw->pw_uid != st.st_uid) ||
-           (pw->pw_gid != st.st_gid)) {
+           (getgid() != st.st_gid)) {
                fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
                        Prog, target,
                        (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,

diff --git a/src/newuidmap.c b/src/newuidmap.c
index 55d84ba8c6fb072bd3e25915dc3a97d84730a01a..b8466de0af0323b17a814e93ffef51c947160fdc 100644 (file)
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@@ -39,6 +39,7 @@
 #include "defines.h"
 #include "prototypes.h"
 #include "subordinateio.h"
+#include "getdef.h"
 #include "idmapping.h"
 
 /*
@@ -158,9 +159,9 @@ int main(int argc, char **argv)
         * mappings we have been asked to set.
         */
        if ((getuid() != pw->pw_uid) ||
-           (getgid() != pw->pw_gid) ||
+           (!getdef_bool("GRANT_AUX_GROUP_SUBIDS") && (getgid() != pw->pw_gid)) ||
            (pw->pw_uid != st.st_uid) ||
-           (pw->pw_gid != st.st_gid)) {
+           (getgid() != st.st_gid)) {
                fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
                        Prog, target,
                        (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,