setgroups < deny is needed before group ids are set

tailhook / unshare

The low-level linux containers creation library for rust

Apache License 2.0

124 stars 27 forks source link

setgroups < deny is needed before group ids are set #27

Open shriphani opened 2 years ago

shriphani commented 2 years ago

Since Linux 3.19 unprivileged writing of /proc/self/gid_map has been disabled unless /proc/self/setgroups is written first to permanently disable the ability to call setgroups in that user namespace.

This essentially means we need to write "deny" to /proc/self/setgroups. This PR adds that one invocation.

Without this, you can't map a child in CLONE_NEWUSER uid 0 and gid 0 to an unprivileged caller's uid and gid.

marius851000 commented 1 year ago

Can confirm that this solve the issue I had with this piece of code:

.set_id_maps(
    vec![UidMap {
        inside_uid: 0,
        outside_uid: unsafe { libc::geteuid() },
        count: 1,
    }],
    vec![GidMap {
        inside_gid: 0,
        outside_gid: unsafe { libc::getegid() },
        count: 1,
    }],
);