diff options
-rw-r--r-- | src/journal/coredump.c | 21 | ||||
-rw-r--r-- | src/shared/capability.c | 30 |
2 files changed, 27 insertions, 24 deletions
diff --git a/src/journal/coredump.c b/src/journal/coredump.c index d322e7984c..f6b95145d2 100644 --- a/src/journal/coredump.c +++ b/src/journal/coredump.c @@ -31,9 +31,8 @@ # include <elfutils/libdwfl.h> #endif -#include "systemd/sd-journal.h" -#include "systemd/sd-login.h" - +#include "sd-journal.h" +#include "sd-login.h" #include "log.h" #include "util.h" #include "fileio.h" @@ -42,14 +41,15 @@ #include "mkdir.h" #include "special.h" #include "cgroup-util.h" -#include "journald-native.h" #include "conf-parser.h" #include "copy.h" #include "stacktrace.h" #include "path-util.h" #include "compress.h" -#include "coredump-vacuum.h" #include "acl-util.h" +#include "capability.h" +#include "journald-native.h" +#include "coredump-vacuum.h" /* The maximum size up to which we process coredumps */ #define PROCESS_SIZE_MAX ((off_t) (2LLU*1024LLU*1024LLU*1024LLU)) @@ -810,11 +810,12 @@ int main(int argc, char* argv[]) { * segfaulted process and allocate the coredump memory under * the user's uid. This also ensures that the credentials * journald will see are the ones of the coredumping user, - * thus making sure the user gets access to the core dump. */ - if (setresgid(gid, gid, gid) < 0 || - setresuid(uid, uid, uid) < 0) { - log_error_errno(errno, "Failed to drop privileges: %m"); - r = -errno; + * thus making sure the user gets access to the core + * dump. Let's also get rid of all capabilities, if we run as + * root, we won't need them anymore. */ + r = drop_privileges(uid, gid, 0); + if (r < 0) { + log_error_errno(r, "Failed to drop privileges: %m"); goto finish; } diff --git a/src/shared/capability.c b/src/shared/capability.c index b1be043803..b39e8e2359 100644 --- a/src/shared/capability.c +++ b/src/shared/capability.c @@ -230,8 +230,9 @@ int capability_bounding_set_drop_usermode(uint64_t drop) { } int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { - + cap_value_t bits[sizeof(keep_capabilities)*8]; _cleanup_cap_free_ cap_t d = NULL; + unsigned i, j = 0; int r; /* Unfortunately we cannot leave privilege dropping to PID 1 @@ -247,7 +248,8 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { if (setgroups(0, NULL) < 0) return log_error_errno(errno, "Failed to drop auxiliary groups list: %m"); - if (prctl(PR_SET_KEEPCAPS, 1) < 0) + /* Ensure we keep the permitted caps across the setresuid(), if we need them */ + if (prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) < 0) return log_error_errno(errno, "Failed to enable keep capabilities flag: %m"); r = setresuid(uid, uid, uid); @@ -257,27 +259,27 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) { if (prctl(PR_SET_KEEPCAPS, 0) < 0) return log_error_errno(errno, "Failed to disable keep capabilities flag: %m"); + /* Drop all caps from the bounding set, except the ones we want */ r = capability_bounding_set_drop(~keep_capabilities, true); if (r < 0) return log_error_errno(r, "Failed to drop capabilities: %m"); + if (keep_capabilities == 0) /* All is gone, we can exit early */ + return 0; + + /* Now upgrade the permitted caps we still kept to effective caps */ d = cap_init(); if (!d) return log_oom(); - if (keep_capabilities) { - cap_value_t bits[sizeof(keep_capabilities)*8]; - unsigned i, j = 0; + for (i = 0; i < sizeof(keep_capabilities)*8; i++) + if (keep_capabilities & (1ULL << i)) + bits[j++] = i; - for (i = 0; i < sizeof(keep_capabilities)*8; i++) - if (keep_capabilities & (1ULL << i)) - bits[j++] = i; - - if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || - cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { - log_error_errno(errno, "Failed to enable capabilities bits: %m"); - return -errno; - } + if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 || + cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) { + log_error_errno(errno, "Failed to enable capabilities bits: %m"); + return -errno; } if (cap_set_proc(d) < 0) |