From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Tue, 20 Nov 2018 19:43:43 +0000 (+0100)
Subject: idmap: always seteuid to the owner of the namespace
X-Git-Tag: 4.7~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59c2dabb264ef7b3137f5edb52c0b31d5af0cf76;p=thirdparty%2Fshadow.git

idmap: always seteuid to the owner of the namespace

simplify the condition for setting the euid of the process.  Now it is
always set when we are running as root, the issue was introduced with
the commit 52c081b02c4ca4432330ee336a60f6f803431e63

Changelog: 2018-11-24 - seh - enforce that euid only gets set to ruid if
   it currently == 0 (i.e. really was setuid-*root*).

Closes: https://github.com/genuinetools/img/issues/191

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
---

diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c
index d6ff6671e..aea94936d 100644
--- a/libmisc/idmapping.c
+++ b/libmisc/idmapping.c
@@ -161,14 +161,8 @@ void write_mapping(int proc_dir_fd, int ranges, struct map_range *mappings,
 		exit(EXIT_FAILURE);
 	}
 
-	if (capget(&hdr, data) < 0) {
-		fprintf(stderr, _("%s: Could not get capabilities\n"), Prog);
-		exit(EXIT_FAILURE);
-	}
-
 	/* Align setuid- and fscaps-based new{g,u}idmap behavior. */
-	if (!(data[0].effective & CAP_TO_MASK(CAP_SYS_ADMIN)) && ruid != 0 &&
-	    ruid == getuid() && ruid != geteuid()) {
+	if (geteuid() == 0 && geteuid() != ruid) {
 		if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
 			fprintf(stderr, _("%s: Could not prctl(PR_SET_KEEPCAPS)\n"), Prog);
 			exit(EXIT_FAILURE);