support/support_become_root.c

   1 /* Acquire root privileges.
   2    Copyright (C) 2016-2023 Free Software Foundation, Inc.
   3    This file is part of the GNU C Library.
   4
   5    The GNU C Library is free software; you can redistribute it and/or
   6    modify it under the terms of the GNU Lesser General Public
   7    License as published by the Free Software Foundation; either
   8    version 2.1 of the License, or (at your option) any later version.
   9
  10    The GNU C Library is distributed in the hope that it will be useful,
  11    but WITHOUT ANY WARRANTY; without even the implied warranty of
  12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  13    Lesser General Public License for more details.
  14
  15    You should have received a copy of the GNU Lesser General Public
  16    License along with the GNU C Library; if not, see
  17    <https://www.gnu.org/licenses/>.  */
  18
  19 #include <support/namespace.h>
  20
  21 #include <errno.h>
  22 #include <fcntl.h>
  23 #include <sched.h>
  24 #include <stdio.h>
  25 #include <string.h>
  26 #include <support/check.h>
  27 #include <support/xunistd.h>
  28 #include <unistd.h>
  29
  30 #ifdef CLONE_NEWUSER
  31 /* The necessary steps to allow file creation in user namespaces.  */
  32 static void
  33 setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
  34 {
  35   int fd = open64 ("/proc/self/uid_map", O_WRONLY);
  36   if (fd < 0)
  37     {
  38       printf ("warning: could not open /proc/self/uid_map: %m\n"
  39               "warning: file creation may not be possible\n");
  40       return;
  41     }
  42
  43   /* We map our original UID to the same UID in the container so we
  44      own our own files normally.  Without that, file creation could
  45      fail with EOVERFLOW (sic!).  */
  46   char buf[100];
  47   int ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
  48                       (unsigned long long) original_uid,
  49                       (unsigned long long) original_uid);
  50   TEST_VERIFY_EXIT (ret < sizeof (buf));
  51   xwrite (fd, buf, ret);
  52   xclose (fd);
  53
  54   /* Linux 3.19 introduced the setgroups file.  We need write "deny" to this
  55      file otherwise writing to gid_map will fail with EPERM.  */
  56   fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
  57   if (fd < 0)
  58     {
  59       if (errno != ENOENT)
  60         FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m",
  61                     O_WRONLY, 0);
  62       /* This kernel doesn't expose the setgroups file so simply move on.  */
  63     }
  64   else
  65     {
  66       xwrite (fd, "deny\n", strlen ("deny\n"));
  67       xclose (fd);
  68     }
  69
  70   /* Now map our own GID, like we did for the user ID.  */
  71   fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);
  72   ret = snprintf (buf, sizeof (buf), "%llu %llu 1\n",
  73                   (unsigned long long) original_gid,
  74                   (unsigned long long) original_gid);
  75   TEST_VERIFY_EXIT (ret < sizeof (buf));
  76   xwrite (fd, buf, ret);
  77   xclose (fd);
  78 }
  79 #endif /* CLONE_NEWUSER */
  80
  81 bool
  82 support_become_root (void)
  83 {
  84 #ifdef CLONE_NEWUSER
  85   uid_t original_uid = getuid ();
  86   gid_t original_gid = getgid ();
  87
  88   if (unshare (CLONE_NEWUSER | CLONE_NEWNS) == 0)
  89     {
  90       setup_uid_gid_mapping (original_uid, original_gid);
  91       /* Even if we do not have UID zero, we have extended privileges at
  92          this point.  */
  93       return true;
  94     }
  95 #endif
  96   if (setuid (0) != 0)
  97     {
  98       printf ("warning: could not become root outside namespace (%m)\n");
  99       return false;
 100     }
 101   return true;
 102 }