summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2012-11-21 02:58:55 +0100
committerLennart Poettering <lennart@poettering.net>2012-11-22 00:45:22 +0100
commit3c957acf86b9ec482a527528987b2462a32e0d07 (patch)
treef693775d76371d10ce9407e909b9b476d5420bc2
parentba9904e9ce0628cce3bbd8106f6dc6914e418eda (diff)
nspawn: reset supplementary and main group id before entering nspawn
-rw-r--r--TODO2
-rw-r--r--src/nspawn/nspawn.c17
2 files changed, 17 insertions, 2 deletions
diff --git a/TODO b/TODO
index 4a49f49369..85b6e9bb52 100644
--- a/TODO
+++ b/TODO
@@ -180,8 +180,6 @@ Features:
* nspawn: implement personality changes a la linux32(8)
-* nspawn: reset all aux groups
-
* cryptsetup-generator: warn if the password files are world-readable
* cryptsetup-generator: add RequiresMountsFor= to cryptseup service files referencing a file, similar for devices
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 244ebb8342..59171abff3 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1327,6 +1327,23 @@ int main(int argc, char *argv[]) {
log_error("setreuid() failed: %m");
goto child_fail;
}
+ } else {
+ /* Reset everything fully to 0, just in case */
+
+ if (setgroups(0, NULL) < 0) {
+ log_error("setgroups() failed: %m");
+ goto child_fail;
+ }
+
+ if (setresgid(0, 0, 0) < 0) {
+ log_error("setregid() failed: %m");
+ goto child_fail;
+ }
+
+ if (setresuid(0, 0, 0) < 0) {
+ log_error("setreuid() failed: %m");
+ goto child_fail;
+ }
}
if ((asprintf((char**)(envp + 3), "HOME=%s", home ? home: "/root") < 0) ||