From 41aaf39dfb740037c2e76ada83a5c2b24f0b8b0e Mon Sep 17 00:00:00 2001 From: Pedro Kiefer Date: Fri, 8 Jan 2016 13:28:25 +0000 Subject: Query for user nobody and exit sandbox if unable to find. Only create homedir if different from "/". Fixes issue #481. -- Change-Id: I240ea02974dfaafa07d1c9772baf372d5ea7755b Reviewed-on: https://bazel-review.googlesource.com/#/c/2650/ MOS_MIGRATED_REVID=111686914 --- src/main/tools/namespace-sandbox.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/src/main/tools/namespace-sandbox.c b/src/main/tools/namespace-sandbox.c index e362f370c9..0153211b7b 100644 --- a/src/main/tools/namespace-sandbox.c +++ b/src/main/tools/namespace-sandbox.c @@ -48,9 +48,8 @@ static double global_kill_delay; static int global_child_pid; static volatile sig_atomic_t global_signal; -// The uid and gid of the user and group 'nobody'. -static const int kNobodyUid = 65534; -static const int kNobodyGid = 65534; +// The username of 'nobody'. +static const char *kNobodyUsername = "nobody"; // Options parsing result. struct Options { @@ -486,7 +485,9 @@ static void SetupDirectories(struct Options *opt) { DIE("Home directory of user nobody must be an absolute path, but is %s", homedir); } - opt->create_dirs[opt->num_create_dirs++] = homedir; + if (strcmp(homedir, "/") != 0) { + opt->create_dirs[opt->num_create_dirs++] = homedir; + } } // Create needed directories. @@ -573,6 +574,17 @@ static void SetupUserNamespace(int uid, int gid, int new_uid, int new_gid) { CHECK_CALL(setresgid(new_gid, new_gid, new_gid)); } +static void SetupUserNamespaceForNobody(int uid, int gid) { + struct passwd *pwd = getpwnam(kNobodyUsername); + + if (pwd == NULL) { + perror("Unable to find passwd entry for user nobody."); + exit(EXIT_FAILURE); + } + + SetupUserNamespace(uid, gid, pwd->pw_uid, pwd->pw_gid); +} + static void ChangeRoot(struct Options *opt) { // move the real root to old_root, then detach it char old_root[16] = "old-root-XXXXXX"; @@ -705,7 +717,7 @@ int main(int argc, char *const argv[]) { if (opt.fake_root) { SetupUserNamespace(uid, gid, 0, 0); } else { - SetupUserNamespace(uid, gid, kNobodyUid, kNobodyGid); + SetupUserNamespaceForNobody(uid, gid); } ChangeRoot(&opt); -- cgit v1.2.3