git.ipfire.org Git - thirdparty/systemd.git/commit

author	Ryan Wilson <ryantimwilson@meta.com>
	Sat, 30 Nov 2024 22:14:35 +0000 (14:14 -0800)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Thu, 12 Dec 2024 11:36:10 +0000 (11:36 +0000)
commit	2665425176f19ee26568151a3fabf3a117269b50
tree	ec1f83ac5d5877ca08447cac3464d26f9271df79	tree \| snapshot
parent	705cc82938b67fa110f2f6f5d28bfb9ec2f339c0	commit \| diff

core: Set /proc/pid/setgroups to allow for PrivateUsers=full

When trying to run dbus-broker in a systemd unit with PrivateUsers=full,
we see dbus-broker fails with EPERM at `util_audit_drop_permissions`.

The root cause is dbus-broker calls the setgroups() system call and this
is disallowed via systemd's implementation of PrivateUsers= by setting
/proc/pid/setgroups = deny. This is done to remediate potential privilege
escalation vulnerabilities in user namespaces where an attacker can remove
supplementary groups and gain access to resources where those groups are
restricted.

However, for OS-like containers, setgroups() is a pretty common API and
disabling it is not feasible. So we allow setgroups() by setting
/proc/pid/setgroups to allow in PrivateUsers=full. Note security conscious
users can still use SystemCallFilter= to disable setgroups() if they want
to specifically prevent this system call.

Fixes: #35425

man/systemd.exec.xml		diff \| blob \| blame \| history
src/core/exec-invoke.c		diff \| blob \| blame \| history
test/units/TEST-07-PID1.private-users.sh		diff \| blob \| blame \| history