Isolation: allowed the use of credentials with unpriv userns.

The setuid/setgid syscalls requires root capabilities but if the kernel supports unprivileged user namespace then the child process has the full set of capabilities in the new namespace, then we can allow setting "user" and "group" in such cases (this is a common security use case). Tests were added to ensure user gets meaningful error messages for uid/gid mapping misconfigurations.
author: Tiago Natel <t.nateldemoura@f5.com> 2019-12-06 16:52:50 +0000
committer: Tiago Natel <t.nateldemoura@f5.com> 2019-12-06 16:52:50 +0000
commit: 411daeaa532c47328ab901a7ba9ea5dcd876be06 (patch)
tree: 90774780cf42278a5cb148992604e8fdb864f54b /src/nxt_credential.h
parent: ed2492a66afdf578d1e4f99dc098ab685607b3ba (diff)
download: unit-411daeaa532c47328ab901a7ba9ea5dcd876be06.tar.gz
unit-411daeaa532c47328ab901a7ba9ea5dcd876be06.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/src/nxt_credential.h b/src/nxt_credential.h
index e9f59327..243eba83 100644
--- a/src/nxt_credential.h
+++ b/src/nxt_credential.h
@@ -21,7 +21,9 @@ typedef struct {
 
 NXT_EXPORT nxt_int_t nxt_credential_get(nxt_task_t *task, nxt_mp_t *mp,
     nxt_credential_t *uc, const char *group);
-NXT_EXPORT nxt_int_t nxt_credential_set(nxt_task_t *task,
+NXT_EXPORT nxt_int_t nxt_credential_setuid(nxt_task_t *task,
+    nxt_credential_t *uc);
+NXT_EXPORT nxt_int_t nxt_credential_setgids(nxt_task_t *task,
     nxt_credential_t *uc);
author	Tiago Natel <t.nateldemoura@f5.com>	2019-12-06 16:52:50 +0000
committer	Tiago Natel <t.nateldemoura@f5.com>	2019-12-06 16:52:50 +0000
commit	411daeaa532c47328ab901a7ba9ea5dcd876be06 (patch)
tree	90774780cf42278a5cb148992604e8fdb864f54b /src/nxt_credential.h
parent	ed2492a66afdf578d1e4f99dc098ab685607b3ba (diff)
download	unit-411daeaa532c47328ab901a7ba9ea5dcd876be06.tar.gz unit-411daeaa532c47328ab901a7ba9ea5dcd876be06.tar.bz2