nsenter: Allow selecting the uid and gid to be used in the entered userns

Using -S (--setuid) and -G (--setgid) one can select the uid/gid which
will be used in the entered user namespace.

[kzak@redhat.com: - use setuid/gid unconditionally (always),
                  - update man page]

Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/sys-utils/nsenter.1 b/sys-utils/nsenter.1
index da22d0866e556f485c4703e99f0bf2a240c3f821..e3c08afa3dfbb46dfa6e73b60bce002e5888a1c5 100644 (file)
--- a/sys-utils/nsenter.1
+++ b/sys-utils/nsenter.1
@@ -123,7 +123,13 @@ file.
 \fB\-U\fR, \fB\-\-user\fR[=\fIfile\fR]
 Enter the user namespace.  If no file is specified, enter the user namespace of
 the target process.  If file is specified, enter the user namespace specified by
-file.
+file. See also \fB\-\-setuid\fR and \fB\-\-setgid\fR options.
+.TP
+\fB\-G\fR, \fB\-\-setgid\fR \fIgid\fR
+Set group ID which will be used in the entered user namespace.
+.TP
+\fB\-S\fR, \fB\-\-setuid\fR \fIuid\fR
+Set user ID which will be used in the entered user namespace.
 .TP
 \fB\-r\fR, \fB\-\-root\fR[=\fIdirectory\fR]
 Set the root directory.  If no directory is specified, set the root directory to

diff --git a/sys-utils/nsenter.c b/sys-utils/nsenter.c
index 106349c7ea4888148977f5ba27b0abad57ca9200..3d9ae2fb0e89d25bd0afa69808b730e86f4f0b0b 100644 (file)
--- a/sys-utils/nsenter.c
+++ b/sys-utils/nsenter.c
@@ -72,6 +72,8 @@ static void usage(int status)
        fputs(_(" -n, --net   [=<file>]  enter network namespace\n"), out);
        fputs(_(" -p, --pid   [=<file>]  enter pid namespace\n"), out);
        fputs(_(" -U, --user  [=<file>]  enter user namespace\n"), out);
+       fputs(_(" -S, --setuid <uid>     set uid in user namespace\n"), out);
+       fputs(_(" -G, --setgid <gid>     set gid in user namespace\n"), out);
        fputs(_(" -r, --root  [=<dir>]   set the root directory\n"), out);
        fputs(_(" -w, --wd    [=<dir>]   set the working directory\n"), out);
        fputs(_(" -F, --no-fork          do not fork before exec'ing <program>\n"), out);
@@ -169,6 +171,8 @@ int main(int argc, char *argv[])
                { "net", optional_argument, NULL, 'n' },
                { "pid", optional_argument, NULL, 'p' },
                { "user", optional_argument, NULL, 'U' },
+               { "setuid", required_argument, NULL, 'S' },
+               { "setgid", required_argument, NULL, 'G' },
                { "root", optional_argument, NULL, 'r' },
                { "wd", optional_argument, NULL, 'w' },
                { "no-fork", no_argument, NULL, 'F' },
@@ -179,6 +183,8 @@ int main(int argc, char *argv[])
        int c, namespaces = 0;
        bool do_rd = false, do_wd = false;
        int do_fork = -1; /* unknown yet */
+       uid_t uid = 0;
+       gid_t gid = 0;
 
        setlocale(LC_MESSAGES, "");
        bindtextdomain(PACKAGE, LOCALEDIR);
@@ -186,7 +192,7 @@ int main(int argc, char *argv[])
        atexit(close_stdout);
 
        while ((c =
-               getopt_long(argc, argv, "hVt:m::u::i::n::p::U::r::w::F",
+               getopt_long(argc, argv, "hVt:m::u::i::n::p::U::S:G:r::w::F",
                            longopts, NULL)) != -1) {
                switch (c) {
                case 'h':
@@ -234,6 +240,12 @@ int main(int argc, char *argv[])
                        else
                                namespaces |= CLONE_NEWUSER;
                        break;
+               case 'S':
+                       uid = strtoul_or_err(optarg, _("failed to parse uid"));
+                       break;
+               case 'G':
+                       gid = strtoul_or_err(optarg, _("failed to parse gid"));
+                       break;
                case 'F':
                        do_fork = 0;
                        break;
@@ -315,6 +327,13 @@ int main(int argc, char *argv[])
        if (do_fork == 1)
                continue_as_child();
 
+       if (namespaces & CLONE_NEWUSER) {
+               if (setuid(uid) < 0)
+                       err(EXIT_FAILURE, _("setuid failed"));
+               if (setgid(gid) < 0)
+                       err(EXIT_FAILURE, _("setgid failed"));
+       }
+
        if (optind < argc) {
                execvp(argv[optind], argv + optind);
                err(EXIT_FAILURE, _("failed to execute %s"), argv[optind]);