diff options
| author | Tiago Natel <t.nateldemoura@f5.com> | 2019-10-22 14:46:15 +0000 |
|---|---|---|
| committer | Tiago Natel <t.nateldemoura@f5.com> | 2019-10-22 14:46:15 +0000 |
| commit | 23b94fde832dcccb801be9acde1471c3fca3a4e9 (patch) | |
| tree | 17842c65d7821a74f3d3eb897f47ce6a371d3cdd /src/nxt_process.c | |
| parent | 2dbfd7c35e807770f2d3984a84b3f742d9392994 (diff) | |
| download | unit-23b94fde832dcccb801be9acde1471c3fca3a4e9.tar.gz unit-23b94fde832dcccb801be9acde1471c3fca3a4e9.tar.bz2 | |
Improved error logging when uid/gid map is not properly set.
When using "credential: true", the new namespace starts with a completely
empty uid and gid ranges. Then, any setuid/setgid/setgroups calls using ids
not properly mapped with uidmap and gidmap fields return EINVAL, meaning
the id is not valid inside the new namespace.
Diffstat (limited to 'src/nxt_process.c')
| -rw-r--r-- | src/nxt_process.c | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/src/nxt_process.c b/src/nxt_process.c index 0cc9ccc4..75a73f0f 100644 --- a/src/nxt_process.c +++ b/src/nxt_process.c @@ -723,16 +723,35 @@ free: nxt_int_t nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc) { - nxt_debug(task, "user cred set: \"%s\" uid:%uL base gid:%uL", - uc->user, (uint64_t) uc->uid, (uint64_t) uc->base_gid); + nxt_debug(task, "user cred set: \"%s\" uid:%d base gid:%d", + uc->user, uc->uid, uc->base_gid); if (setgid(uc->base_gid) != 0) { + +#if (NXT_HAVE_CLONE) + if (nxt_errno == EINVAL) { + nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the " + "application namespace.", uc->base_gid); + return NXT_ERROR; + } +#endif + nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno); return NXT_ERROR; } if (uc->gids != NULL) { if (setgroups(uc->ngroups, uc->gids) != 0) { + +#if (NXT_HAVE_CLONE) + if (nxt_errno == EINVAL) { + nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has " + "supplementary group ids not valid in the application " + "namespace.", uc->user, uc->uid); + return NXT_ERROR; + } +#endif + nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno); return NXT_ERROR; } @@ -747,6 +766,15 @@ nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc) } if (setuid(uc->uid) != 0) { + +#if (NXT_HAVE_CLONE) + if (nxt_errno == EINVAL) { + nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't " + "valid in the application namespace.", uc->uid, uc->user); + return NXT_ERROR; + } +#endif + nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno); return NXT_ERROR; } |