blob: 36887d44ee916bb4a11d986c3632de3a15badb96 [file] [log] [blame]
Brad Bishop220d5532018-08-14 00:59:39 +01001From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
2From: Aleksa Sarai <asarai@suse.de>
3Date: Thu, 15 Feb 2018 23:49:40 +1100
4Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
5
6This is necessary to match the kernel-side policy of "self-mapping in a
7user namespace is fine, but you cannot drop groups" -- a policy that was
8created in order to stop user namespaces from allowing trivial privilege
9escalation by dropping supplementary groups that were "blacklisted" from
10certain paths.
11
12This is the simplest fix for the underlying issue, and effectively makes
13it so that unless a user has a valid mapping set in /etc/subgid (which
14only administrators can modify) -- and they are currently trying to use
15that mapping -- then /proc/$pid/setgroups will be set to deny. This
16workaround is only partial, because ideally it should be possible to set
17an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
18administrators to further restrict newgidmap(1).
19
20We also don't write anything in the "allow" case because "allow" is the
21default, and users may have already written "deny" even if they
22technically are allowed to use setgroups. And we don't write anything if
23the setgroups policy is already "deny".
24
25Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
26Fixes: CVE-2018-7169
27
28Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0]
29Reported-by: Craig Furman <craig.furman89@gmail.com>
30Signed-off-by: Aleksa Sarai <asarai@suse.de>
31Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
32---
33 src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------
34 1 file changed, 80 insertions(+), 9 deletions(-)
35
36diff --git a/src/newgidmap.c b/src/newgidmap.c
37index b1e33513..59a2e75c 100644
38--- a/src/newgidmap.c
39+++ b/src/newgidmap.c
40@@ -46,32 +46,37 @@
41 */
42 const char *Prog;
43
44-static bool verify_range(struct passwd *pw, struct map_range *range)
45+
46+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
47 {
48 /* An empty range is invalid */
49 if (range->count == 0)
50 return false;
51
52- /* Test /etc/subgid */
53- if (have_sub_gids(pw->pw_name, range->lower, range->count))
54+ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
55+ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
56+ *allow_setgroups = true;
57 return true;
58+ }
59
60- /* Allow a process to map it's own gid */
61- if ((range->count == 1) && (pw->pw_gid == range->lower))
62+ /* Allow a process to map its own gid. */
63+ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
64+ /* noop -- if setgroups is enabled already we won't disable it. */
65 return true;
66+ }
67
68 return false;
69 }
70
71 static void verify_ranges(struct passwd *pw, int ranges,
72- struct map_range *mappings)
73+ struct map_range *mappings, bool *allow_setgroups)
74 {
75 struct map_range *mapping;
76 int idx;
77
78 mapping = mappings;
79 for (idx = 0; idx < ranges; idx++, mapping++) {
80- if (!verify_range(pw, mapping)) {
81+ if (!verify_range(pw, mapping, allow_setgroups)) {
82 fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
83 Prog,
84 mapping->upper,
85@@ -89,6 +94,70 @@ static void usage(void)
86 exit(EXIT_FAILURE);
87 }
88
89+void write_setgroups(int proc_dir_fd, bool allow_setgroups)
90+{
91+ int setgroups_fd;
92+ char *policy, policy_buffer[4096];
93+
94+ /*
95+ * Default is "deny", and any "allow" will out-rank a "deny". We don't
96+ * forcefully write an "allow" here because the process we are writing
97+ * mappings for may have already set themselves to "deny" (and "allow"
98+ * is the default anyway). So allow_setgroups == true is a noop.
99+ */
100+ policy = "deny\n";
101+ if (allow_setgroups)
102+ return;
103+
104+ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
105+ if (setgroups_fd < 0) {
106+ /*
107+ * If it's an ENOENT then we are on too old a kernel for the setgroups
108+ * code to exist. Emit a warning and bail on this.
109+ */
110+ if (ENOENT == errno) {
111+ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
112+ goto out;
113+ }
114+ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
115+ Prog,
116+ strerror(errno));
117+ exit(EXIT_FAILURE);
118+ }
119+
120+ /*
121+ * Check whether the policy is already what we want. /proc/self/setgroups
122+ * is write-once, so attempting to write after it's already written to will
123+ * fail.
124+ */
125+ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
126+ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
127+ Prog,
128+ strerror(errno));
129+ exit(EXIT_FAILURE);
130+ }
131+ if (!strncmp(policy_buffer, policy, strlen(policy)))
132+ goto out;
133+
134+ /* Write the policy. */
135+ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
136+ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
137+ Prog,
138+ strerror(errno));
139+ exit(EXIT_FAILURE);
140+ }
141+ if (dprintf(setgroups_fd, "%s", policy) < 0) {
142+ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
143+ Prog,
144+ policy,
145+ strerror(errno));
146+ exit(EXIT_FAILURE);
147+ }
148+
149+out:
150+ close(setgroups_fd);
151+}
152+
153 /*
154 * newgidmap - Set the gid_map for the specified process
155 */
156@@ -103,6 +172,7 @@ int main(int argc, char **argv)
157 struct stat st;
158 struct passwd *pw;
159 int written;
160+ bool allow_setgroups = false;
161
162 Prog = Basename (argv[0]);
163
164@@ -145,7 +215,7 @@ int main(int argc, char **argv)
165 (unsigned long) getuid ()));
166 return EXIT_FAILURE;
167 }
168-
169+
170 /* Get the effective uid and effective gid of the target process */
171 if (fstat(proc_dir_fd, &st) < 0) {
172 fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
173@@ -177,8 +247,9 @@ int main(int argc, char **argv)
174 if (!mappings)
175 usage();
176
177- verify_ranges(pw, ranges, mappings);
178+ verify_ranges(pw, ranges, mappings, &allow_setgroups);
179
180+ write_setgroups(proc_dir_fd, allow_setgroups);
181 write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
182 sub_gid_close();
183
184--
1852.13.3
186