Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added --uid and --gid support when running as root without --unshare-user or --userns #616

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added --uid and --gid support when running as root without --unshare-user or --userns #616

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 18 additions & 6 deletions bubblewrap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,8 +326,8 @@ usage (int ecode, FILE *out)
" --disable-userns Disable further use of user namespaces inside sandbox\n"
" --assert-userns-disabled Fail unless further use of user namespace inside sandbox is disabled\n"
" --pidns FD Use this pid namespace (as parent namespace if using --unshare-pid)\n"
" --uid UID Custom uid in the sandbox (requires --unshare-user or --userns)\n"
" --gid GID Custom gid in the sandbox (requires --unshare-user or --userns)\n"
" --uid UID Custom uid in the sandbox (requires root, --unshare-user or --userns)\n"
" --gid GID Custom gid in the sandbox (requires root, --unshare-user or --userns)\n"
" --hostname NAME Custom hostname in the sandbox (requires --unshare-uts)\n"
" --chdir DIR Change directory to DIR\n"
" --clearenv Unset all environment variables\n"
Expand Down Expand Up @@ -2780,11 +2780,11 @@ main (int argc,
if (opt_sandbox_gid == (gid_t)-1)
opt_sandbox_gid = real_gid;

if (!opt_unshare_user && opt_userns_fd == -1 && opt_sandbox_uid != real_uid)
die ("Specifying --uid requires --unshare-user or --userns");
if (real_uid != 0 && !opt_unshare_user && opt_userns_fd == -1 && opt_sandbox_uid != real_uid)
die ("Specifying --uid requires root, --unshare-user or --userns");

if (!opt_unshare_user && opt_userns_fd == -1 && opt_sandbox_gid != real_gid)
die ("Specifying --gid requires --unshare-user or --userns");
if (real_uid != 0 && !opt_unshare_user && opt_userns_fd == -1 && opt_sandbox_gid != real_gid)
die ("Specifying --gid requires root, --unshare-user or --userns");

if (!opt_unshare_uts && opt_sandbox_hostname != NULL)
die ("Specifying --hostname requires --unshare-uts");
Expand Down Expand Up @@ -3237,6 +3237,18 @@ main (int argc,
die ("creation of new user namespaces was not disabled as requested");
}

if (real_uid == 0 && !opt_unshare_user && opt_userns_fd == -1 && (opt_sandbox_uid != real_uid || opt_sandbox_gid != real_gid)) {
/* Tell kernel not clear capabilities when later dropping root uid */
if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
die_with_error ("prctl(PR_SET_KEEPCAPS) failed");

if (opt_sandbox_gid != real_gid && setgid (opt_sandbox_gid) < 0)
die_with_error ("unable to switch to gid %d", opt_sandbox_gid);

if (opt_sandbox_uid != real_uid && setuid (opt_sandbox_uid) < 0)
die_with_error ("unable to switch to uid %d", opt_sandbox_uid);
}

/* All privileged ops are done now, so drop caps we don't need */
drop_privs (!is_privileged, TRUE);

Expand Down