From: Karel Zak Date: Thu, 6 May 2010 07:59:16 +0000 (+0200) Subject: unshare: drop potential euid privileges before exec X-Git-Tag: v2.18-rc1~115 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f1be691da4da51d3709ae26d4ad32edf163a195;p=thirdparty%2Futil-linux.git unshare: drop potential euid privileges before exec This patch drops potential euid privileges before executing the target program. This allows to setuid unshare. The unshare(1) is still distributed as non-setuid program. Based on patch from Martin Pohlack . Signed-off-by: Karel Zak --- diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1 index 31fcfde745..06e4ac205e 100644 --- a/sys-utils/unshare.1 +++ b/sys-utils/unshare.1 @@ -47,6 +47,9 @@ Unshare the IPC namespace, .TP .BR \-n , " \-\-net" Unshare the network namespace. +.SH NOTES +The unshare command drops potential privileges before executing the +target program. This allows to setuid unshare. .SH SEE ALSO unshare(2), clone(2) .SH BUGS diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c index df75d1776c..6b6177c542 100644 --- a/sys-utils/unshare.c +++ b/sys-utils/unshare.c @@ -113,6 +113,13 @@ int main(int argc, char *argv[]) if(-1 == unshare(unshare_flags)) err(EXIT_FAILURE, _("unshare failed")); + /* drop potential root euid/egid if we had been setuid'd */ + if (setgid(getgid()) < 0) + err(EXIT_FAILURE, _("cannot set group id")); + + if (setuid(getuid()) < 0) + err(EXIT_FAILURE, _("cannot set user id")); + execvp(argv[optind], argv + optind); err(EXIT_FAILURE, _("exec %s failed"), argv[optind]);