diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-10-06 15:44:27 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-10-06 15:44:27 +0200 |
commit | e057995bb1314a94ce460d8e5a2a20e73c0e2ad4 (patch) | |
tree | 6ca280b3a1526e61c9fed7b87854e2ba0ddb80c8 /src/basic/user-util.c | |
parent | 94f42fe3a68129fc5d30fc0ee2094c3052ea782b (diff) | |
parent | 36d854780c01d589e5da1fc6e94f46aa41f7016f (diff) |
Merge pull request #4280 from giuseppe/unprivileged-user
[RFC] run systemd in an unprivileged container
Diffstat (limited to 'src/basic/user-util.c')
-rw-r--r-- | src/basic/user-util.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/src/basic/user-util.c b/src/basic/user-util.c index 0522bce1d1..16496fccfa 100644 --- a/src/basic/user-util.c +++ b/src/basic/user-util.c @@ -33,6 +33,7 @@ #include "alloc-util.h" #include "fd-util.h" +#include "fileio.h" #include "formats-util.h" #include "macro.h" #include "missing.h" @@ -460,7 +461,7 @@ int get_shell(char **_s) { int reset_uid_gid(void) { - if (setgroups(0, NULL) < 0) + if (maybe_setgroups(0, NULL) < 0) return -errno; if (setresgid(0, 0, 0) < 0) @@ -602,3 +603,27 @@ bool valid_home(const char *p) { return true; } + +int maybe_setgroups(size_t size, const gid_t *list) { + static int cached_can_setgroups = -1; + /* check if setgroups is allowed before we try to drop all the auxiliary groups */ + if (size == 0) { + if (cached_can_setgroups < 0) { + _cleanup_free_ char *setgroups_content = NULL; + int r = read_one_line_file("/proc/self/setgroups", &setgroups_content); + if (r < 0 && errno != ENOENT) + return r; + if (r < 0) { + /* old kernels don't have /proc/self/setgroups, so assume we can use setgroups */ + cached_can_setgroups = true; + } else { + cached_can_setgroups = streq(setgroups_content, "allow"); + if (!cached_can_setgroups) + log_debug("skip setgroups, /proc/self/setgroups is set to 'deny'"); + } + } + if (!cached_can_setgroups) + return 0; + } + return setgroups(size, list); +} |