/* clear any inherited settings */
signal(SIGCHLD, SIG_DFL);
- if (npersists && (unshare_flags & CLONE_NEWNS))
+ if (npersists && (unshare_flags & (CLONE_NEWNS | CLONE_NEWUSER)))
pid_bind = bind_ns_files_from_child(&fd_bind);
+ if (usermap || (mapuser != (uid_t) -1 && owneruser != (uid_t) -1)) {
+ add_single_map_range(&usermap, real_euid, mapuser);
+ mapuser = -1;
+ }
+
+ if (groupmap || (mapgroup != (uid_t) -1 && ownergroup != (uid_t) -1)) {
+ add_single_map_range(&groupmap, real_egid, mapgroup);
+ mapgroup = -1;
+ }
+
if (usermap || groupmap)
- pid_idmap = map_ids_from_child(&fd_idmap, mapuser, usermap,
- mapgroup, groupmap);
+ pid_idmap = map_ids_from_child(&fd_idmap, usermap, groupmap);
+
+ if (ownergroup != (gid_t) -1 && setgroups(0, NULL) != 0)
+ err(EXIT_FAILURE, _("setgroups failed"));
+ if (ownergroup != (gid_t) -1 && setgid(ownergroup) != 0)
+ err(EXIT_FAILURE, _("setgid() failed"));
+ if (owneruser != (uid_t) -1 && setuid(owneruser) != 0)
+ err(EXIT_FAILURE, _("setuid() failed"));
if (-1 == unshare(unshare_flags))
err(EXIT_FAILURE, _("unshare failed"));
#endif
}
- if (mapuser != MAX_OF_UINT_TYPE(uid_t) && !usermap)
- if (mapuser != (uid_t) -1)
++ if (mapuser != MAX_OF_UINT_TYPE(uid_t))
map_id(_PATH_PROC_UIDMAP, mapuser, real_euid);
/* Since Linux 3.19 unprivileged writing of /proc/self/gid_map
* has been disabled unless /proc/self/setgroups is written
* first to permanently disable the ability to call setgroups
* in that user namespace. */
- if (mapgroup != MAX_OF_UINT_TYPE(gid_t) && !groupmap) {
- if (mapgroup != (gid_t) -1) {
++ if (mapgroup != MAX_OF_UINT_TYPE(gid_t)) {
if (setgrpcmd == SETGROUPS_ALLOW)
errx(EXIT_FAILURE, _("options --setgroups=allow and "
"--map-group are mutually exclusive"));
projects / thirdparty / util-linux.git / commitdiff
