diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2021-10-14 18:01:00 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2021-10-14 18:01:00 +0200 |
commit | 388435542eeba594557d604630e3cf26d3737e9d (patch) | |
tree | 4bc3d7b07916d4358fbe70f985275f7c833c8bd4 | |
parent | 54a65e36931c83c234cafc5a338aad66736422c4 (diff) | |
download | passt-388435542eeba594557d604630e3cf26d3737e9d.tar passt-388435542eeba594557d604630e3cf26d3737e9d.tar.gz passt-388435542eeba594557d604630e3cf26d3737e9d.tar.bz2 passt-388435542eeba594557d604630e3cf26d3737e9d.tar.lz passt-388435542eeba594557d604630e3cf26d3737e9d.tar.xz passt-388435542eeba594557d604630e3cf26d3737e9d.tar.zst passt-388435542eeba594557d604630e3cf26d3737e9d.zip |
passt: Don't refuse to run if UID is 0 in non-init namespace
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r-- | passt.c | 15 |
1 files changed, 14 insertions, 1 deletions
@@ -189,15 +189,28 @@ static void seccomp(struct ctx *c) } /** - * check_root() - Warn if we're running as root, exit if we can't drop to nobody + * check_root() - Warn if root in init, exit if we can't drop to nobody */ static void check_root(void) { struct passwd *pw; + char buf[BUFSIZ]; + int fd; if (getuid() && geteuid()) return; + if ((fd = open("/proc/self/uid_map", O_RDONLY)) < 0) + return; + + if (read(fd, buf, BUFSIZ) > 0 && + strcmp(buf, " 0 0 4294967295")) { + close(fd); + return; + } + + close(fd); + fprintf(stderr, "Don't run this as root. Changing to nobody...\n"); pw = getpwnam("nobody"); if (!pw) { |