newgidmap: enforce setgroups=deny if self-mapping a group

cyphar · cyphar · commit f275a0884427 · 2018-02-16T01:37:18.000+11:00
This is necessary to match the kernel-side policy of "self-mapping in a user namespace is fine, but you cannot drop groups" -- a policy that was created in order to stop user namespaces from allowing trivial privilege escalation by dropping supplementary groups that were "blacklisted" from certain paths. This is the simplest fix for the underlying issue, and effectively makes it so that unless a user has a valid mapping set in /etc/subgid (which only administrators can modify) -- and they are currently trying to use that mapping -- then /proc/$pid/setgroups will be set to deny. This workaround is only partial, because ideally it should be possible to set an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow administrators to further restrict newgidmap(1). Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 Reported-by: Craig Furman <craig.furman89@gmail.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
diff --git a/README b/README
@@ -44,6 +44,7 @@ a lot of mail...
 
 Adam Rudnicki <adam@v-lo.krakow.pl>
 Alan Curry <pacman@tardis.mars.net>
+Aleksa Sarai <cyphar@cyphar.com>
 Alexander O. Yuriev <alex@bach.cis.temple.edu>
 Algis Rudys <arudys@rice.edu>
 Andreas Jaeger <aj@arthur.rhein-neckar.de>
diff --git a/src/newgidmap.c b/src/newgidmap.c
@@ -46,32 +46,37 @@
  */
 const char *Prog;
 
-static bool verify_range(struct passwd *pw, struct map_range *range)
+
+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
 {
 	/* An empty range is invalid */
 	if (range->count == 0)
 		return false;
 
-	/* Test /etc/subgid */
-	if (have_sub_gids(pw->pw_name, range->lower, range->count))
+	/* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
+	if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
+		*allow_setgroups = true;
 		return true;
+	}
 
-	/* Allow a process to map its own gid */
-	if ((range->count == 1) && (pw->pw_gid == range->lower))
+	/* Allow a process to map its own gid. */
+	if ((range->count == 1) && (pw->pw_gid == range->lower)) {
+		/* noop -- if setgroups is enabled already we won't disable it. */
 		return true;
+	}
 
 	return false;
 }
 
 static void verify_ranges(struct passwd *pw, int ranges,
-	struct map_range *mappings)
+	struct map_range *mappings, bool *allow_setgroups)
 {
 	struct map_range *mapping;
 	int idx;
 
 	mapping = mappings;
 	for (idx = 0; idx < ranges; idx++, mapping++) {
-		if (!verify_range(pw, mapping)) {
+		if (!verify_range(pw, mapping, allow_setgroups)) {
 			fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
 				Prog,
 				mapping->upper,
@@ -89,6 +94,36 @@ static void usage(void)
 	exit(EXIT_FAILURE);
 }
 
+void write_setgroups(int proc_dir_fd, unsigned int allow_setgroups)
+{
+	int setgroups_fd = openat(proc_dir_fd, "setgroups", O_WRONLY);
+	if (setgroups_fd < 0) {
+		/*
+		 * If it's an ENOENT then we are on too old a kernel for the setgroups
+		 * code to exist. Emit a warning and bail on this.
+		 */
+		if (ENOENT == errno) {
+			fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
+			return;
+		}
+		fprintf(stderr, _("%s: couldn't open process setgroups: %m\n"), Prog);
+		exit(EXIT_FAILURE);
+	}
+
+	/* Default is deny, and any allow will out-rank a deny. */
+	char *policy = "deny";
+	if (allow_setgroups)
+		policy = "allow";
+
+	/* Write to setgroups. */
+	if (dprintf(setgroups_fd, "%s\n", policy) < 0) {
+		fprintf(stderr, _("%s: failed to set setgroups %s policy: %m"),
+			Prog,
+			policy);
+		exit(EXIT_FAILURE);
+	}
+}
+
 /*
  * newgidmap - Set the gid_map for the specified process
  */
@@ -103,6 +138,7 @@ int main(int argc, char **argv)
 	struct stat st;
 	struct passwd *pw;
 	int written;
+	bool allow_setgroups = false;
 
 	Prog = Basename (argv[0]);
 
@@ -145,7 +181,7 @@ int main(int argc, char **argv)
 				(unsigned long) getuid ()));
 		return EXIT_FAILURE;
 	}
-	
+
 	/* Get the effective uid and effective gid of the target process */
 	if (fstat(proc_dir_fd, &st) < 0) {
 		fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
@@ -177,8 +213,9 @@ int main(int argc, char **argv)
 	if (!mappings)
 		usage();
 
-	verify_ranges(pw, ranges, mappings);
+	verify_ranges(pw, ranges, mappings, &allow_setgroups);
 
+	write_setgroups(proc_dir_fd, allow_setgroups);
 	write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
 	sub_gid_close();
 

-Original file line number
+Diff line change
 Adam Rudnicki <[email protected]>
 Alan Curry <[email protected]>
 +Aleksa Sarai <[email protected]>
 Alexander O. Yuriev <[email protected]>
 Algis Rudys <[email protected]>
 Andreas Jaeger <[email protected]>