From: Lennart Poettering Date: Wed, 21 Nov 2012 01:58:55 +0000 (+0100) Subject: nspawn: reset supplementary and main group id before entering nspawn X-Git-Tag: v197~230 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=3c957acf86b9ec482a527528987b2462a32e0d07;hp=ba9904e9ce0628cce3bbd8106f6dc6914e418eda;ds=sidebyside nspawn: reset supplementary and main group id before entering nspawn --- diff --git a/TODO b/TODO index 4a49f4936..85b6e9bb5 100644 --- a/TODO +++ b/TODO @@ -180,8 +180,6 @@ Features: * nspawn: implement personality changes a la linux32(8) -* nspawn: reset all aux groups - * cryptsetup-generator: warn if the password files are world-readable * cryptsetup-generator: add RequiresMountsFor= to cryptseup service files referencing a file, similar for devices diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 244ebb834..59171abff 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1327,6 +1327,23 @@ int main(int argc, char *argv[]) { log_error("setreuid() failed: %m"); goto child_fail; } + } else { + /* Reset everything fully to 0, just in case */ + + if (setgroups(0, NULL) < 0) { + log_error("setgroups() failed: %m"); + goto child_fail; + } + + if (setresgid(0, 0, 0) < 0) { + log_error("setregid() failed: %m"); + goto child_fail; + } + + if (setresuid(0, 0, 0) < 0) { + log_error("setreuid() failed: %m"); + goto child_fail; + } } if ((asprintf((char**)(envp + 3), "HOME=%s", home ? home: "/root") < 0) ||