If a call to chroot is not followed by a call to chdir("/") the chroot jail
confinement can be violated. See also CWE-243.
CID: 360718
CID: 360800
Reference: http://cwe.mitre.org/data/definitions/243.html
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Just as with unshare and lsns this adds time namespace support to
nsenter.
In contrast to unshare nsenter does not have the options '--boottime'
and '--monotonic' as that offset can only be set as long as there have
no processes being started in the corresponding time namespace.
Signed-off-by: Adrian Reber <areber@redhat.com>
sys-utils/nsenter.c: In function ‘is_same_namespace’:
sys-utils/nsenter.c:170:2: warning: ‘b_ino’ may be used uninitialized in this function [-Wuninitialized]
sys-utils/nsenter.c:170:2: warning: ‘a_ino’ may be used uninitialized in this function [-Wuninitialized]
Signed-off-by: Karel Zak <kzak@redhat.com>
changed in include/c.h and applied via sed:
sed -i 's/fprintf.*\(USAGE_MAN_TAIL.*\)/printf(\1/' $(git ls-files -- "*.c")
sed -i 's/print_usage_help_options\(.*\);/printf(USAGE_HELP_OPTIONS\1);/' $(git ls-files -- "*.c")
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Consolidate --help and --version descriptions. We are
now able to align them to the other options.
We changed include/c.h. The rest of this patch was
generated by sed, plus manually setting the right
alignment numbers. We do not change anything but
white spaces in the --help output.
Signed-off-by: Ruediger Meier <ruediger.meier@ga-group.nl>
(Original patch and commit message edited by Rudi.)
gcc-7 adds -Wimplicit-fallthrough=3 to our default flag -Wextra.
This warning can be silenced by using comment /* fallthrough */
which is also recognized by other tools like coverity. There are
also other valid comments (see man gcc-7) but we consolidate this
style now.
We could have also used __attribute__((fallthrough)) but the comment
looks nice and does not need to be ifdef'ed for compatibility.
Reference: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=7652
Reference: https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/
Reviewed-by: Ruediger Meier <ruediger.meier@ga-group.nl>
Suggested-by: Karel Zak <kzak@redhat.com>
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Fix various typos in error messages, warnings, debug strings,
comments and names of static functions.
Signed-off-by: Sebastian Rasmussen <sebras@gmail.com>
We have two use cases for user namespaces, one to elevate the
privilege of an unprivileged user, in which case we have to enter the
user namespace before all other namespaces (otherwise there isn't
enough permission to enter any other namespace). And the other one is
where we're deprivileging a user and thus have to enter the user
namespace last (because that's the point at which we lose the
privileges). On the first pass, we start at the position one after
the user namespace clearing the file descriptors as we close them
after calling setns(). If setns() fails on the first pass, ignore the
failure assuming that it will succeed after we enter the user
namespace.
Addresses: https://github.com/karelzak/util-linux/issues/315
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
The new context is copied from --target <PID>. This solution allows to
keep SELinux happy when you enter container by nsenter(1).
Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1116100
Signed-off-by: Karel Zak <kzak@redhat.com>
The new option --preserve-credentials completely disables all
operations related to UIGs and GIDs.
The patch also calls setgroups() before we enter user namespace (so
root can always clear their groups) and after we enter user namespace
(to detect /proc/self/setgroups "deny"). If both fail then nsenter
complains.
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
The current nseneter behavior is inconsistent and depends on way how
namespace is specified on command line
# nsenter --user
vs.
# nseneter --user=filename
if the namespace is specified by <filename> than nsenter does not do
additinal setting and actions (e.g. does not call setgroups, setuid).
This is bug.
Signed-off-by: Karel Zak <kzak@redhat.com>
This adds a concise description of a tool to its usage text.
A first form of this patch was proposed by Steven Honeyman
(see http://www.spinics.net/lists/util-linux-ng/msg09994.html).
Signed-off-by: Benno Schulenberg <bensberg@justemail.net>
Now it's possible to set UID and GID for user namespaces only. This
patch removes this restriction and allow to use --set{uid,gid} in all
cases. The default for user namespaces is still GID=0, UID=0.
Reported-by: Tomas Doran <bobtfish@bobtfish.net>
Signed-off-by: Karel Zak <kzak@redhat.com>
Using -S (--setuid) and -G (--setgid) one can select the uid/gid which
will be used in the entered user namespace.
[kzak@redhat.com: - use setuid/gid unconditionally (always),
- update man page]
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Karel Zak <kzak@redhat.com>
The behaviour mimics chroot.
Possibly it would have been nicer to to query the password database in
the new namepace and run the shell of the user there, but it's hard to
do correctly. getpwuid() might need to load nss plugins, and the arch
in the new namespace might be different (in case of NEWNS mounts), or
the hostname might be different, etc. So in general it's not possible
to do it reliably.
Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Message to user is less informative, but impossible events should be
rare so core files are much appriciated for these cases.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
nsenter.c:53:2: warning: ISO C forbids empty initializer braces [-pedantic]
[kzak@redhat.com: - use initialize .fd to -1]
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
Signed-off-by: Karel Zak <kzak@redhat.com>
The 'neither filename nor target' is changed to use errx() rather than
err(), because the errno is indicating success at the time of fatal error
which is wrong message for an user.
The "cannot open %s" is same string as in other files, making translators
to work less.
Remaining changes aim to ease understanding what went wrong for a
non-programmer audience.
Signed-off-by: Sami Kerola <kerolasa@iki.fi>
The naming of this option was really confusing.
Just rename it for clarity.
[kzak@redhat.com: rebase to original code without --all]
Signed-off-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Signed-off-by: Karel Zak <kzak@redhat.com>
Move the defitions of CLONE_NEWNS, CLONE_NEWUTS, CLONE_NEWIPC,
CLONE_NEWNET, CLONE_NEWUSER, CLONE_NEWPID into namespace.h in case
sched.h does not provide those definitions. Are there systems
around that are old enough that still need this?
Move the definitions of unshare() and setns() into namespace.h
for supporting old versions of libc that does not provice these.
I have tested this support with setns as I still have systems
old enough that glibc does not wrap setns.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This is shorter code and makes things a bit clearer and less
error prone if anyone happens to copy the code.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
In the case of a pid namespace we need to fork a child process instead
of calling exec. Move all of that logic out of line into a function
continue_as_child, making the logic of the primary case easier to
understand.
Update the logic for waiting for a child process to suspend ourselves
when the child processes suspends and to continue the child process
when we are unsuspsended. This supports the bash suspend command and
various editors that suspend themselves.
If the child process exits with a signal update the logic to run
kill(getpid(), WTERMSIG(status)) so the caller sees the same exit code
that nsenter observed.
There will always be permission to send signals to our children and
the tty is not changing so there is no need for the intermediate
process to forward signals to it's child.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Inspired by unshare, nsenter is a simple wrapper around setns that
allows running a new process in the context of an existing process.
Full paths may be specified to the namespace arguments so that
namespace file descriptors may be used wherever they reside in the
filesystem.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Sami Kerola
Adrian Reber
Karel Zak
Ruediger Meier
Sebastian Rasmussen
James Bottomley
Serge Hallyn
Benno Schulenberg
Richard Weinberger
Zbigniew Jędrzejewski-Szmek
Eric W. Biederman