Re: RFC: dropping privs in chroot --user

coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: dropping privs in chroot --user

From:	Pádraig Brady
Subject:	Re: RFC: dropping privs in chroot --user
Date:	Fri, 16 May 2014 21:59:46 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2

On 05/13/2014 04:04 PM, Pádraig Brady wrote:
> Both setuidgid and runuser behave as I would expect
> and drop the supplemental groups of the root user:
> 
>   # runuser padraig -c "id -G"
>   500 10 489 491
> 
>   # ~padraig/git/coreutils/src/setuidgid padraig id -G
>   500 10 489 491
> 
> However chroot does not:
> 
>   # chroot --user=padraig: / id -G
>   500 0 1 2 3 4 6 10
> 
>   # chroot --user=padraig / id -G
>   0 500 1 2 3 4 6 10
> 
> That's at least unexpected and could
> be considered a bug I think.
> If I'm missing nothing I'll send a patch soon.

So with chroot you needed to explicitly set the supplemental groups
with --groups, which was awkward, unexpected and not general
since there was no way to lookup the supplemental groups for
a user _within_ the chroot.

The attached patch changes things as follows.

thanks,
Pádraig.

[[ chroot / id -G ]]
before: 0 1 2 3 4 6 10
after:  0 1 2 3 4 6 10
[[ chroot --user=padraig / id -G ]]
before: 0 500 1 2 3 4 6 10
after:  500 10 489 491
[[ chroot --user=padraig: / id -G ]]
before: 500 0 1 2 3 4 6 10
after:  500 10 489 491
[[ chroot --user=padraig:nobody / id -G ]]
before: 99 500 0 1 2 3 4 6 10
after:  99 500 10 489 491
[[ chroot --user=padraig --groups='' / id -G ]]
before: chroot: invalid group list `'
after:  500
[[ chroot --user=padraig:nobody --groups='' / id -G ]]
before: chroot: invalid group list `'
after:  99 500
[[ chroot --user=+500 / id -G ]]
before: 0 500 1 2 3 4 6 10
after:  500 10 489 491
[[ chroot --user=+500:+500 / id -G ]]
before: 500 0 1 2 3 4 6 10
after:  500 10 489 491
[[ chroot --user=+500:nobody / id -G ]]
before: 99 500 0 1 2 3 4 6 10
after:  99 500 10 489 491
[[ chroot --user=+500:nobody --groups='' / id -G ]]
before: chroot: invalid group list `'
after:  99 500
[[ chroot --user=+500 --groups='' / id -G ]]
before: chroot: invalid group list `'
after:  500
[[ chroot --user=+500:+500 --groups='' / id -G ]]
before: chroot: invalid group list `'
after:  500
[[ chroot --user=+5000 / id -G ]]
before: 0 1 2 3 4 6 10
after:  src/chroot: failed to get primary group
[[ chroot --user=+5000:+5000  / id -G ]]
before: 5000 0 1 2 3 4 6 10
after:  5000
[[ chroot --user=+5000:+5000 --groups='' / id -G ]]
before: chroot: invalid group list `'
after:  5000
[[ chroot --user=:padraig  / id -G ]]
before: 500 0 1 2 3 4 6 10
after:  500 0 1 2 3 4 6 10
[[ chroot --user=:padraig  / id -u ]]
before: 0
after:  0

chroot-clear-root-groups.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

RFC: dropping privs in chroot --user, Pádraig Brady, 2014/05/13
- Re: RFC: dropping privs in chroot --user, Pádraig Brady <=
  - Re: RFC: dropping privs in chroot --user, Bernhard Voelker, 2014/05/16
    - Re: RFC: dropping privs in chroot --user, Pádraig Brady, 2014/05/17
    - Re: RFC: dropping privs in chroot --user, Pádraig Brady, 2014/05/18
    - Re: RFC: dropping privs in chroot --user, Bernhard Voelker, 2014/05/18
    - Re: RFC: dropping privs in chroot --user, Pádraig Brady, 2014/05/18

Prev by Date: Re: sharing STDOUT in multiple sha256sum processes
Next by Date: Re: RFC: avoid chroot() call if not changing root dir
Previous by thread: RFC: dropping privs in chroot --user
Next by thread: Re: RFC: dropping privs in chroot --user
Index(es):
- Date
- Thread