Attachment #132421 for bug #194550

View | Details | Raw Unified | Return to bug 194550
Collapse All | Expand All

Lines 29-38 struct devinfo_t { Link Here

(-)a/commands/chroothelper.h.in (-3 / +3 lines)
29		29
30	struct devinfo_t devices[] = {	30	struct devinfo_t devices[] = {
31	{ "null", S_IFCHR, 0666, 1, 3 },	31	{ "null", S_IFCHR, 0666, 1, 3 },
32	{ "zero", S_IFCHR, 0644, 1, 4 },	32	{ "zero", S_IFCHR, 0666, 1, 5 },
33	{ "urandom", S_IFCHR, 0666, 1, 9 },	33	{ "urandom", S_IFCHR, 0444, 1, 9 },
34	{ "tty", S_IFCHR, 0666, 5, 0 },	34	{ "tty", S_IFCHR, 0666, 5, 0 },
35	{ "console", S_IFCHR, 0666, 5, 1 },	35	{ "console", S_IFCHR, 0600, 5, 1 },
36	{ "ptmx", S_IFCHR, 0666, 5, 2 } };	36	{ "ptmx", S_IFCHR, 0666, 5, 2 } };
37		37
38		38




            return rc;
    }

    /* keep our capabilities as we transition back to our real uid */
    prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);

    if (switch_to_user(RMAKE_USER)) {
	fprintf(stderr, "ERROR: can not assume %s privileges\n", RMAKE_USER);
	return -1;
    }

    /* also initgroups here */

    /* retain chroot() and mknod() */
    cap = cap_from_text("cap_sys_chroot,cap_mknod,cap_setuid,cap_setgid+ep");
    if (NULL == cap) {
        perror("cap_from_text");
        return 1;
    }
    if (0 != cap_set_proc(cap)) {
        perror("cap_set_proc");
        return 1;
    }
    cap_free(cap);

    /* we need to allow creation of 666 devices */
    umask(0);
    /* make sure we create all nodes as root.root */
    if ((rc = switch_to_uid_gid(0, 0)))
        return rc;
    /* mknod here */
    for(i=0; i < (sizeof(devices) / sizeof(devices[0])); i++) {
        struct devinfo_t device = devices[i];

    }
    /* restore sane umask */
    umask(0002);



    /* keep our capabilities as we transition back to our real uid */
    prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);

    if (switch_to_user(RMAKE_USER)) {
	fprintf(stderr, "ERROR: can not assume %s privileges\n", RMAKE_USER);
	return -1;
    }

    /* also initgroups here */

    /* retain chroot() and mknod() */
    cap = cap_from_text("cap_sys_chroot,cap_setuid,cap_setgid+ep");
    if (NULL == cap) {
        perror("cap_from_text");
        return 1;
    }
    if (0 != cap_set_proc(cap)) {
        perror("cap_set_proc");
        return 1;
    }
    cap_free(cap);

    /* make required symlinks */
    for(i=0; i < (sizeof(symlinks) / sizeof(symlinks[0])); i++) {

Return to bug 194550

Lines 335-364 int enter_chroot(const char * chrootDir, Link Here

(-)a/commands/chroothelper.c (-22 / +27 lines)
335	return rc;	335	return rc;
336	}	336	}
337		337
338	/* keep our capabilities as we transition back to our real uid */
339	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
340
341	if (switch_to_user(RMAKE_USER)) {
342	fprintf(stderr, "ERROR: can not assume %s privileges\n", RMAKE_USER);
343	return -1;
344	}
345
346	/* also initgroups here */
347
348	/* retain chroot() and mknod() */
349	cap = cap_from_text("cap_sys_chroot,cap_mknod,cap_setuid,cap_setgid+ep");
350	if (NULL == cap) {
351	perror("cap_from_text");
352	return 1;
353	}
354	if (0 != cap_set_proc(cap)) {
355	perror("cap_set_proc");
356	return 1;
357	}
358	cap_free(cap);
359
360	/* we need to allow creation of 666 devices */	338	/* we need to allow creation of 666 devices */
361	umask(0);	339	umask(0);
		340	/* make sure we create all nodes as root.root */
		341	if ((rc = switch_to_uid_gid(0, 0)))
		342	return rc;
362	/* mknod here */	343	/* mknod here */
363	for(i=0; i < (sizeof(devices) / sizeof(devices[0])); i++) {	344	for(i=0; i < (sizeof(devices) / sizeof(devices[0])); i++) {
364	struct devinfo_t device = devices[i];	345	struct devinfo_t device = devices[i];
Lines 384-389 int enter_chroot(const char * chrootDir, Link Here
384	}	365	}
385	/* restore sane umask */	366	/* restore sane umask */
386	umask(0002);	367	umask(0002);
		368
		369
		370
		371	/* keep our capabilities as we transition back to our real uid */
		372	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
		373
		374	if (switch_to_user(RMAKE_USER)) {
		375	fprintf(stderr, "ERROR: can not assume %s privileges\n", RMAKE_USER);
		376	return -1;
		377	}
		378
		379	/* also initgroups here */
		380
		381	/* retain chroot() and mknod() */
		382	cap = cap_from_text("cap_sys_chroot,cap_setuid,cap_setgid+ep");
		383	if (NULL == cap) {
		384	perror("cap_from_text");
		385	return 1;
		386	}
		387	if (0 != cap_set_proc(cap)) {
		388	perror("cap_set_proc");
		389	return 1;
		390	}
		391	cap_free(cap);
387		392
388	/* make required symlinks */	393	/* make required symlinks */
389	for(i=0; i < (sizeof(symlinks) / sizeof(symlinks[0])); i++) {	394	for(i=0; i < (sizeof(symlinks) / sizeof(symlinks[0])); i++) {