summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_credential.c
diff options
context:
space:
mode:
authorTiago Natel <t.nateldemoura@f5.com>2019-12-06 16:52:50 +0000
committerTiago Natel <t.nateldemoura@f5.com>2019-12-06 16:52:50 +0000
commit411daeaa532c47328ab901a7ba9ea5dcd876be06 (patch)
tree90774780cf42278a5cb148992604e8fdb864f54b /src/nxt_credential.c
parented2492a66afdf578d1e4f99dc098ab685607b3ba (diff)
downloadunit-411daeaa532c47328ab901a7ba9ea5dcd876be06.tar.gz
unit-411daeaa532c47328ab901a7ba9ea5dcd876be06.tar.bz2
Isolation: allowed the use of credentials with unpriv userns.
The setuid/setgid syscalls requires root capabilities but if the kernel supports unprivileged user namespace then the child process has the full set of capabilities in the new namespace, then we can allow setting "user" and "group" in such cases (this is a common security use case). Tests were added to ensure user gets meaningful error messages for uid/gid mapping misconfigurations.
Diffstat (limited to '')
-rw-r--r--src/nxt_credential.c66
1 files changed, 37 insertions, 29 deletions
diff --git a/src/nxt_credential.c b/src/nxt_credential.c
index 9f275b7d..168db9cf 100644
--- a/src/nxt_credential.c
+++ b/src/nxt_credential.c
@@ -280,61 +280,69 @@ free:
nxt_int_t
-nxt_credential_set(nxt_task_t *task, nxt_credential_t *uc)
+nxt_credential_setuid(nxt_task_t *task, nxt_credential_t *uc)
{
- nxt_debug(task, "user cred set: \"%s\" uid:%d base gid:%d",
- uc->user, uc->uid, uc->base_gid);
+ nxt_debug(task, "user cred set: \"%s\" uid:%d", uc->user, uc->uid);
- if (setgid(uc->base_gid) != 0) {
+ if (setuid(uc->uid) != 0) {
#if (NXT_HAVE_CLONE)
if (nxt_errno == EINVAL) {
- nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the "
- "application namespace.", uc->base_gid);
+ nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't "
+ "valid in the application namespace.", uc->uid, uc->user);
return NXT_ERROR;
}
#endif
- nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno);
+ nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno);
return NXT_ERROR;
}
- if (uc->gids != NULL) {
- if (setgroups(uc->ngroups, uc->gids) != 0) {
+ return NXT_OK;
+}
-#if (NXT_HAVE_CLONE)
- if (nxt_errno == EINVAL) {
- nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has "
- "supplementary group ids not valid in the application "
- "namespace.", uc->user, uc->uid);
- return NXT_ERROR;
- }
-#endif
- nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno);
- return NXT_ERROR;
- }
+nxt_int_t
+nxt_credential_setgids(nxt_task_t *task, nxt_credential_t *uc)
+{
+ nxt_runtime_t *rt;
- } else {
- /* MacOSX fallback. */
- if (initgroups(uc->user, uc->base_gid) != 0) {
- nxt_alert(task, "initgroups(%s, %d) failed %E",
- uc->user, uc->base_gid, nxt_errno);
+ nxt_debug(task, "user cred set gids: base gid:%d, ngroups: %d",
+ uc->base_gid, uc->ngroups);
+
+ rt = task->thread->runtime;
+
+ if (setgid(uc->base_gid) != 0) {
+
+#if (NXT_HAVE_CLONE)
+ if (nxt_errno == EINVAL) {
+ nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the "
+ "application namespace.", uc->base_gid);
return NXT_ERROR;
}
+#endif
+
+ nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno);
+ return NXT_ERROR;
}
- if (setuid(uc->uid) != 0) {
+ if (!rt->capabilities.setid) {
+ return NXT_OK;
+ }
+
+ if (nxt_slow_path(uc->ngroups > 0
+ && setgroups(uc->ngroups, uc->gids) != 0)) {
#if (NXT_HAVE_CLONE)
if (nxt_errno == EINVAL) {
- nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't "
- "valid in the application namespace.", uc->uid, uc->user);
+ nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has "
+ "supplementary group ids not valid in the application "
+ "namespace.", uc->user, uc->uid);
return NXT_ERROR;
}
#endif
- nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno);
+ nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno);
return NXT_ERROR;
}