mirrors/passt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

passt: Don't refuse to run if UID is 0 in non-init namespace

Browse source 
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2021-10-14 18:01:00 +02:00
parent 54a65e3693
commit 388435542e
1 changed files with 14 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
passt.c
View file

@ -189,15 +189,28 @@ static void seccomp(struct ctx *c)
} }
/** /**
* check_root() - Warn if we're running as root, exit if we can't drop to nobody * check_root() - Warn if root in init, exit if we can't drop to nobody
*/ */
static void check_root(void) static void check_root(void)
{ {
struct passwd *pw; struct passwd *pw;
char buf[BUFSIZ];
int fd;
if (getuid() && geteuid()) if (getuid() && geteuid())
return; return;
if ((fd = open("/proc/self/uid_map", O_RDONLY)) < 0)
return;
if (read(fd, buf, BUFSIZ) > 0 &&
strcmp(buf, " 0 0 4294967295")) {
close(fd);
return;
}
close(fd);
fprintf(stderr, "Don't run this as root. Changing to nobody...\n"); fprintf(stderr, "Don't run this as root. Changing to nobody...\n");
pw = getpwnam("nobody"); pw = getpwnam("nobody");
if (!pw) { if (!pw) {