[git commit] libbb: do not die if setgid/setuid(real_id) on startup fails

Denys Vlasenko vda.linux at googlemail.com
Mon Jul 10 07:17:43 UTC 2017


commit: https://git.busybox.net/busybox/commit/?id=12a4f9afe702b89c616610d3a29bf08257c6bace
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

Based on a patch from Steven McDonald <steven at steven-mcdonald.id.au>:

This makes 'unshare --user' work correctly in the case where the user's
shell is provided by busybox itself.

'unshare --user' creates a new user namespace without any uid mappings.
As a result, /bin/busybox is setuid nobody:nogroup within the
namespace, as that is the only user. However, since no uids are mapped,
attempting to call setgid/setuid fails, even though this would do
nothing:

  $ unshare --user ./busybox.broken ash
  ash: setgid: Invalid argument

'unshare --map-root-user' still works, but because Linux only allows
uid/gid mappings to be set up once, creating a root mapping makes such
a namespace useless for creating multi-user containers.

With this patch, setgid and setuid will not be called in the case where
they would do nothing, which is always the case inside a new user
namespace because all uids are effectively mapped to nobody:

  $ id -u
  1000
  $ ls -lh busybox.fixed
  -rwsr-xr-x    1 root     root      826.2K May 21 00:33 busybox.fixed
  $ unshare --user ./busybox.fixed ash
  $ id -u
  65534

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 libbb/appletlib.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/libbb/appletlib.c b/libbb/appletlib.c
index df65849..b9fbbd1 100644
--- a/libbb/appletlib.c
+++ b/libbb/appletlib.c
@@ -681,8 +681,21 @@ static void check_suid(int applet_no)
 		if (geteuid())
 			bb_error_msg_and_die("must be suid to work properly");
 	} else if (APPLET_SUID(applet_no) == BB_SUID_DROP) {
-		xsetgid(rgid);  /* drop all privileges */
-		xsetuid(ruid);
+		/*
+		 * Drop all privileges.
+		 *
+		 * Don't check for errors: in normal use, they are impossible,
+		 * and in special cases, exiting is harmful. Example:
+		 * 'unshare --user' when user's shell is also from busybox.
+		 *
+		 * 'unshare --user' creates a new user namespace without any
+		 * uid mappings. Thus, busybox binary is setuid nobody:nogroup
+		 * within the namespace, as that is the only user. However,
+		 * since no uids are mapped, calls to setgid/setuid
+		 * fail (even though they would do nothing).
+		 */
+		setgid(rgid);
+		setuid(ruid);
 	}
 #  if ENABLE_FEATURE_SUID_CONFIG
  ret: ;


More information about the busybox-cvs mailing list