newsubgid: add deny_setgroups option to /etc/subgid #99
+316
−48
Commits on Feb 19, 2018
-
Add a free_list helper so that we can duplicate list to callers and require them to do the freeing for us, as well as a comma_from_list helper for the /etc/sub{uid,gid} writing functions. In addition, fix up the duplication code to just ignore NULL lists rather than aborting (for no good reason). As an aside, we really should switch to sharing the list code from somewhere else rather than maintaining a separate version within shadow-utils... Signed-off-by: Aleksa Sarai <[email protected]> -
lib: subordinateio: add options field to /etc/sub{uid,gid}
Add support for an optional options field in /etc/sub{uid,gid}. We treat this like other optional fields in /etc/passwd -- by ignoring its non-existence and providing some functions to access the options. We need these in order to be able to have the "allow_setgroups" and "deny_setgroups" options in /etc/sub{uid,gid}. This also required making libmisc a dependency of libshadow, which in turn required converting libmisc to a libtool library so that AutoMake didn't complain. It appears this mostly doesn't change any aspect of the build other than allowing us to use libmisc symbols in libshadow. Signed-off-by: Aleksa Sarai <[email protected]> -
src: new{uid,gid}map: add basic (noop) support for options
Add the most basic support for the new /etc/sub{uid,gid} options possible (parse them and if any options are present then output an error). We ignore empty-string options to avoid cases where an empty field breaks things. Signed-off-by: Aleksa Sarai <[email protected]> -
newgidmap: add deny_setgroups option to /etc/subgid
Add a new deny_setgroups (and corresponding allow_setgroups) option to /etc/subgid. The purpose of this option is to extend the security protections against CVE-2018-7169, so that even group mapping configured in /etc/subgid by an administrator can still disable setgroups. However, rather than the fairly lenient semantics for self-mapping, the semantics of /etc/subgid are stronger. If a mapping is encountered where "deny_setgroups" is set, then no other mapping can "undo" this restriction. The reason for this is that "deny_setgroups" indicates that (according to the administrator) the mapping is unsafe to allow setgroups in, and adding more mappings will not change this fact. "allow_setgroups" is the default, and setting it is a noop. The logic used when applying setgroups policies is unchanged (only denies are written, and we don't write anything if it's already denied). Signed-off-by: Aleksa Sarai <[email protected]>
-
man: add documentation for new setgroups(2) semantics
Add documentation for allow_setgroups, deny_setgroups, the new option format of /etc/sub{uid,gid}, and fix some errors in the groupmod(8) man page that stopped it from building properly on my machine. Signed-off-by: Aleksa Sarai <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.