summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/journal/coredump.c21
-rw-r--r--src/shared/capability.c30
2 files changed, 27 insertions, 24 deletions
diff --git a/src/journal/coredump.c b/src/journal/coredump.c
index d322e7984c..f6b95145d2 100644
--- a/src/journal/coredump.c
+++ b/src/journal/coredump.c
@@ -31,9 +31,8 @@
# include <elfutils/libdwfl.h>
#endif
-#include "systemd/sd-journal.h"
-#include "systemd/sd-login.h"
-
+#include "sd-journal.h"
+#include "sd-login.h"
#include "log.h"
#include "util.h"
#include "fileio.h"
@@ -42,14 +41,15 @@
#include "mkdir.h"
#include "special.h"
#include "cgroup-util.h"
-#include "journald-native.h"
#include "conf-parser.h"
#include "copy.h"
#include "stacktrace.h"
#include "path-util.h"
#include "compress.h"
-#include "coredump-vacuum.h"
#include "acl-util.h"
+#include "capability.h"
+#include "journald-native.h"
+#include "coredump-vacuum.h"
/* The maximum size up to which we process coredumps */
#define PROCESS_SIZE_MAX ((off_t) (2LLU*1024LLU*1024LLU*1024LLU))
@@ -810,11 +810,12 @@ int main(int argc, char* argv[]) {
* segfaulted process and allocate the coredump memory under
* the user's uid. This also ensures that the credentials
* journald will see are the ones of the coredumping user,
- * thus making sure the user gets access to the core dump. */
- if (setresgid(gid, gid, gid) < 0 ||
- setresuid(uid, uid, uid) < 0) {
- log_error_errno(errno, "Failed to drop privileges: %m");
- r = -errno;
+ * thus making sure the user gets access to the core
+ * dump. Let's also get rid of all capabilities, if we run as
+ * root, we won't need them anymore. */
+ r = drop_privileges(uid, gid, 0);
+ if (r < 0) {
+ log_error_errno(r, "Failed to drop privileges: %m");
goto finish;
}
diff --git a/src/shared/capability.c b/src/shared/capability.c
index b1be043803..b39e8e2359 100644
--- a/src/shared/capability.c
+++ b/src/shared/capability.c
@@ -230,8 +230,9 @@ int capability_bounding_set_drop_usermode(uint64_t drop) {
}
int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
-
+ cap_value_t bits[sizeof(keep_capabilities)*8];
_cleanup_cap_free_ cap_t d = NULL;
+ unsigned i, j = 0;
int r;
/* Unfortunately we cannot leave privilege dropping to PID 1
@@ -247,7 +248,8 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
if (setgroups(0, NULL) < 0)
return log_error_errno(errno, "Failed to drop auxiliary groups list: %m");
- if (prctl(PR_SET_KEEPCAPS, 1) < 0)
+ /* Ensure we keep the permitted caps across the setresuid(), if we need them */
+ if (prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) < 0)
return log_error_errno(errno, "Failed to enable keep capabilities flag: %m");
r = setresuid(uid, uid, uid);
@@ -257,27 +259,27 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
if (prctl(PR_SET_KEEPCAPS, 0) < 0)
return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");
+ /* Drop all caps from the bounding set, except the ones we want */
r = capability_bounding_set_drop(~keep_capabilities, true);
if (r < 0)
return log_error_errno(r, "Failed to drop capabilities: %m");
+ if (keep_capabilities == 0) /* All is gone, we can exit early */
+ return 0;
+
+ /* Now upgrade the permitted caps we still kept to effective caps */
d = cap_init();
if (!d)
return log_oom();
- if (keep_capabilities) {
- cap_value_t bits[sizeof(keep_capabilities)*8];
- unsigned i, j = 0;
+ for (i = 0; i < sizeof(keep_capabilities)*8; i++)
+ if (keep_capabilities & (1ULL << i))
+ bits[j++] = i;
- for (i = 0; i < sizeof(keep_capabilities)*8; i++)
- if (keep_capabilities & (1ULL << i))
- bits[j++] = i;
-
- if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 ||
- cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) {
- log_error_errno(errno, "Failed to enable capabilities bits: %m");
- return -errno;
- }
+ if (cap_set_flag(d, CAP_EFFECTIVE, j, bits, CAP_SET) < 0 ||
+ cap_set_flag(d, CAP_PERMITTED, j, bits, CAP_SET) < 0) {
+ log_error_errno(errno, "Failed to enable capabilities bits: %m");
+ return -errno;
}
if (cap_set_proc(d) < 0)