technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Improved error logging when uid/gid map is not properly set.

Browse Source 
When using "credential: true", the new namespace starts with a completely
empty uid and gid ranges.  Then, any setuid/setgid/setgroups calls using ids
not properly mapped with uidmap and gidmap fields return EINVAL, meaning
the id is not valid inside the new namespace.
This commit is contained in:
Tiago Natel
2019-10-22 14:46:15 +00:00
parent 2dbfd7c35e
commit 23b94fde83
1 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/nxt_process.c
View File

@@ -723,16 +723,35 @@ free:
nxt_int_t nxt_int_t
nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc) nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc)
{ {
nxt_debug(task, "user cred set: \"%s\" uid:%uL base gid:%uL", nxt_debug(task, "user cred set: \"%s\" uid:%d base gid:%d",
uc->user, (uint64_t) uc->uid, (uint64_t) uc->base_gid); uc->user, uc->uid, uc->base_gid);
if (setgid(uc->base_gid) != 0) { if (setgid(uc->base_gid) != 0) {
#if (NXT_HAVE_CLONE)
if (nxt_errno == EINVAL) {
nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the "
"application namespace.", uc->base_gid);
return NXT_ERROR;
}
#endif
nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno); nxt_alert(task, "setgid(%d) failed %E", uc->base_gid, nxt_errno);
return NXT_ERROR; return NXT_ERROR;
} }
if (uc->gids != NULL) { if (uc->gids != NULL) {
if (setgroups(uc->ngroups, uc->gids) != 0) { if (setgroups(uc->ngroups, uc->gids) != 0) {
#if (NXT_HAVE_CLONE)
if (nxt_errno == EINVAL) {
nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has "
"supplementary group ids not valid in the application "
"namespace.", uc->user, uc->uid);
return NXT_ERROR;
}
#endif
nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno); nxt_alert(task, "setgroups(%i) failed %E", uc->ngroups, nxt_errno);
return NXT_ERROR; return NXT_ERROR;
} }
@@ -747,6 +766,15 @@ nxt_user_cred_set(nxt_task_t *task, nxt_user_cred_t *uc)
} }
if (setuid(uc->uid) != 0) { if (setuid(uc->uid) != 0) {
#if (NXT_HAVE_CLONE)
if (nxt_errno == EINVAL) {
nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't "
"valid in the application namespace.", uc->uid, uc->user);
return NXT_ERROR;
}
#endif
nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno); nxt_alert(task, "setuid(%d) failed %E", uc->uid, nxt_errno);
return NXT_ERROR; return NXT_ERROR;
} }