diff options
author | Nikolay Amiantov <ab@fmap.me> | 2016-01-12 14:40:45 +0300 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2016-01-12 14:40:45 +0300 |
commit | 9124e9584b3d952fdd6047bbdf610be0ef1ad45f (patch) | |
tree | 54d60290230482d9f270f46169fee7f13cf7b206 | |
parent | 6fd00586dd51194a86f495073f9643968b40d960 (diff) | |
parent | ed4219964d9974aec463070bb639f7013d1ffedf (diff) | |
download | nixlib-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar nixlib-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.gz nixlib-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.bz2 nixlib-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.lz nixlib-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.xz nixlib-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.tar.zst nixlib-9124e9584b3d952fdd6047bbdf610be0ef1ad45f.zip |
Merge pull request #11779 from abbradar/fhs-root
chroot-user: don't create new user namespace if we are root
-rw-r--r-- | pkgs/build-support/build-fhs-chrootenv/env.nix | 7 | ||||
-rwxr-xr-x | pkgs/build-support/build-fhs-userenv/chroot-user.rb | 43 |
2 files changed, 33 insertions, 17 deletions
diff --git a/pkgs/build-support/build-fhs-chrootenv/env.nix b/pkgs/build-support/build-fhs-chrootenv/env.nix index c00d3865afab..d28773f00ace 100644 --- a/pkgs/build-support/build-fhs-chrootenv/env.nix +++ b/pkgs/build-support/build-fhs-chrootenv/env.nix @@ -56,7 +56,7 @@ let export PS1='${name}-chrootenv:\u@\h:\w\$ ' export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive' export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32' - export PATH='/usr/bin:/usr/sbin' + export PATH='/var/setuid-wrappers:/usr/bin:/usr/sbin' ${profile} ''; @@ -81,6 +81,11 @@ let ln -s /host-etc/resolv.conf resolv.conf ln -s /host-etc/nsswitch.conf nsswitch.conf + # symlink sudo and su stuff + ln -s /host-etc/login.defs login.defs + ln -s /host-etc/sudoers sudoers + ln -s /host-etc/sudoers.d sudoers.d + # symlink other core stuff ln -s /host-etc/localtime localtime ln -s /host-etc/machine-id machine-id diff --git a/pkgs/build-support/build-fhs-userenv/chroot-user.rb b/pkgs/build-support/build-fhs-userenv/chroot-user.rb index 97316ac43695..250e6a908434 100755 --- a/pkgs/build-support/build-fhs-userenv/chroot-user.rb +++ b/pkgs/build-support/build-fhs-userenv/chroot-user.rb @@ -53,6 +53,7 @@ $unshare = make_fcall 'unshare', [Fiddle::TYPE_INT], Fiddle::TYPE_INT MS_BIND = 0x1000 MS_REC = 0x4000 +MS_SLAVE = 0x80000 $mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, Fiddle::TYPE_VOIDP, @@ -92,23 +93,31 @@ root = Dir.mktmpdir 'chrootenv' # we don't use threads at all. $cpid = $fork.call if $cpid == 0 - # Save user UID and GID - uid = Process.uid - gid = Process.gid - - # Create new mount and user namespaces - # CLONE_NEWUSER requires a program to be non-threaded, hence - # native fork above. - $unshare.call CLONE_NEWNS | CLONE_NEWUSER - - # Map users and groups to the parent namespace - begin - # setgroups is only available since Linux 3.19 - write_file '/proc/self/setgroups', 'deny' - rescue + # If we are root, no need to create new user namespace. + if Process.uid == 0 + $unshare.call CLONE_NEWNS + # Mark all mounted filesystems as slave so changes + # don't propagate to the parent mount namespace. + $mount.call nil, '/', nil, MS_REC | MS_SLAVE, nil + else + # Save user UID and GID + uid = Process.uid + gid = Process.gid + + # Create new mount and user namespaces + # CLONE_NEWUSER requires a program to be non-threaded, hence + # native fork above. + $unshare.call CLONE_NEWNS | CLONE_NEWUSER + + # Map users and groups to the parent namespace + begin + # setgroups is only available since Linux 3.19 + write_file '/proc/self/setgroups', 'deny' + rescue + end + write_file '/proc/self/uid_map', "#{uid} #{uid} 1" + write_file '/proc/self/gid_map', "#{gid} #{gid} 1" end - write_file '/proc/self/uid_map', "#{uid} #{uid} 1" - write_file '/proc/self/gid_map', "#{gid} #{gid} 1" # Do rbind mounts. mounts.each do |from, rto| @@ -117,6 +126,8 @@ if $cpid == 0 $mount.call from, to, nil, MS_BIND | MS_REC, nil end + # Don't make root private so privilege drops inside chroot are possible + File.chmod(0755, root) # Chroot! Dir.chroot root Dir.chdir '/' |