mirror of
git://sourceware.org/git/glibc.git
synced 2024-11-27 03:41:23 +08:00
5a82c74822
Also, change sources.redhat.com to sourceware.org. This patch was automatically generated by running the following shell script, which uses GNU sed, and which avoids modifying files imported from upstream: sed -ri ' s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g ' \ $(find $(git ls-files) -prune -type f \ ! -name '*.po' \ ! -name 'ChangeLog*' \ ! -path COPYING ! -path COPYING.LIB \ ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \ ! -path manual/texinfo.tex ! -path scripts/config.guess \ ! -path scripts/config.sub ! -path scripts/install-sh \ ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \ ! -path INSTALL ! -path locale/programs/charmap-kw.h \ ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \ ! '(' -name configure \ -execdir test -f configure.ac -o -f configure.in ';' ')' \ ! '(' -name preconfigure \ -execdir test -f preconfigure.ac ';' ')' \ -print) and then by running 'make dist-prepare' to regenerate files built from the altered files, and then executing the following to cleanup: chmod a+x sysdeps/unix/sysv/linux/riscv/configure # Omit irrelevant whitespace and comment-only changes, # perhaps from a slightly-different Autoconf version. git checkout -f \ sysdeps/csky/configure \ sysdeps/hppa/configure \ sysdeps/riscv/configure \ sysdeps/unix/sysv/linux/csky/configure # Omit changes that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines git checkout -f \ sysdeps/powerpc/powerpc64/ppc-mcount.S \ sysdeps/unix/sysv/linux/s390/s390-64/syscall.S # Omit change that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
103 lines
3.2 KiB
C
103 lines
3.2 KiB
C
/* Acquire root privileges.
|
|
Copyright (C) 2016-2019 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
#include <support/namespace.h>
|
|
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <sched.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <support/check.h>
|
|
#include <support/xunistd.h>
|
|
#include <unistd.h>
|
|
|
|
#ifdef CLONE_NEWUSER
|
|
/* The necessary steps to allow file creation in user namespaces. */
|
|
static void
|
|
setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
|
|
{
|
|
int fd = open64 ("/proc/self/uid_map", O_WRONLY);
|
|
if (fd < 0)
|
|
{
|
|
printf ("warning: could not open /proc/self/uid_map: %m\n"
|
|
"warning: file creation may not be possible\n");
|
|
return;
|
|
}
|
|
|
|
/* We map our original UID to the same UID in the container so we
|
|
own our own files normally. Without that, file creation could
|
|
fail with EOVERFLOW (sic!). */
|
|
char buf[100];
|
|
int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
|
|
(unsigned long long) original_uid,
|
|
(unsigned long long) original_uid);
|
|
TEST_VERIFY_EXIT (ret < sizeof (buf));
|
|
xwrite (fd, buf, ret);
|
|
xclose (fd);
|
|
|
|
/* Linux 3.19 introduced the setgroups file. We need write "deny" to this
|
|
file otherwise writing to gid_map will fail with EPERM. */
|
|
fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
|
|
if (fd < 0)
|
|
{
|
|
if (errno != ENOENT)
|
|
FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m",
|
|
O_WRONLY, 0);
|
|
/* This kernel doesn't expose the setgroups file so simply move on. */
|
|
}
|
|
else
|
|
{
|
|
xwrite (fd, "deny\n", strlen ("deny\n"));
|
|
xclose (fd);
|
|
}
|
|
|
|
/* Now map our own GID, like we did for the user ID. */
|
|
fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
|
|
ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
|
|
(unsigned long long) original_gid,
|
|
(unsigned long long) original_gid);
|
|
TEST_VERIFY_EXIT (ret < sizeof (buf));
|
|
xwrite (fd, buf, ret);
|
|
xclose (fd);
|
|
}
|
|
#endif /* CLONE_NEWUSER */
|
|
|
|
bool
|
|
support_become_root (void)
|
|
{
|
|
#ifdef CLONE_NEWUSER
|
|
uid_t original_uid = getuid ();
|
|
gid_t original_gid = getgid ();
|
|
|
|
if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0)
|
|
{
|
|
setup_uid_gid_mapping (original_uid, original_gid);
|
|
/* Even if we do not have UID zero, we have extended privileges at
|
|
this point. */
|
|
return true;
|
|
}
|
|
#endif
|
|
if (setuid (0) != 0)
|
|
{
|
|
printf ("warning: could not become root outside namespace (%m)\n");
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|