diff options
| author |  Pedro Kiefer <pedro@kiefer.com.br> | 2016-01-08 13:28:25 +0000 |
|---|---|---|
| committer |  Philipp Wollermann <philwo@google.com> | 2016-01-08 14:59:04 +0000 |
| commit | 41aaf39dfb740037c2e76ada83a5c2b24f0b8b0e (patch) | |
| tree | 4a2f0085e996005d933b8211f888ba3345d3ac4f /src/main/tools | |
| parent | 2cdfbd595c251e6e99454cfeeab5407911442506 (diff) | |
Query for user nobody and exit sandbox if unable to find.
Only create homedir if different from "/".
Fixes issue #481.
--
Change-Id: I240ea02974dfaafa07d1c9772baf372d5ea7755b
Reviewed-on: https://bazel-review.googlesource.com/#/c/2650/
MOS_MIGRATED_REVID=111686914
Diffstat (limited to 'src/main/tools')
| -rw-r--r-- | src/main/tools/namespace-sandbox.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/src/main/tools/namespace-sandbox.c b/src/main/tools/namespace-sandbox.c index e362f370c9..0153211b7b 100644 --- a/src/main/tools/namespace-sandbox.c +++ b/src/main/tools/namespace-sandbox.c @@ -48,9 +48,8 @@ static double global_kill_delay; static int global_child_pid; static volatile sig_atomic_t global_signal; -// The uid and gid of the user and group 'nobody'. -static const int kNobodyUid = 65534; -static const int kNobodyGid = 65534; +// The username of 'nobody'. +static const char *kNobodyUsername = "nobody"; // Options parsing result. struct Options { @@ -486,7 +485,9 @@ static void SetupDirectories(struct Options *opt) { DIE("Home directory of user nobody must be an absolute path, but is %s", homedir); } - opt->create_dirs[opt->num_create_dirs++] = homedir; + if (strcmp(homedir, "/") != 0) { + opt->create_dirs[opt->num_create_dirs++] = homedir; + } } // Create needed directories. @@ -573,6 +574,17 @@ static void SetupUserNamespace(int uid, int gid, int new_uid, int new_gid) { CHECK_CALL(setresgid(new_gid, new_gid, new_gid)); } +static void SetupUserNamespaceForNobody(int uid, int gid) { + struct passwd *pwd = getpwnam(kNobodyUsername); + + if (pwd == NULL) { + perror("Unable to find passwd entry for user nobody."); + exit(EXIT_FAILURE); + } + + SetupUserNamespace(uid, gid, pwd->pw_uid, pwd->pw_gid); +} + static void ChangeRoot(struct Options *opt) { // move the real root to old_root, then detach it char old_root[16] = "old-root-XXXXXX"; @@ -705,7 +717,7 @@ int main(int argc, char *const argv[]) { if (opt.fake_root) { SetupUserNamespace(uid, gid, 0, 0); } else { - SetupUserNamespace(uid, gid, kNobodyUid, kNobodyGid); + SetupUserNamespaceForNobody(uid, gid); } ChangeRoot(&opt); |