forked from josch/mmdebstrap
make sure that unshare mode cannot be run as superuser
This commit is contained in:
parent
ec9ceb2115
commit
cd39a44934
1 changed files with 6 additions and 0 deletions
|
@ -88,6 +88,9 @@ sub get_tar_compress_options($) {
|
||||||
}
|
}
|
||||||
|
|
||||||
sub test_unshare() {
|
sub test_unshare() {
|
||||||
|
if ($EFFECTIVE_USER_ID == 0) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
# arguments to syscalls have to be stored in their own variable or
|
# arguments to syscalls have to be stored in their own variable or
|
||||||
# otherwise we will get "Modification of a read-only value attempted"
|
# otherwise we will get "Modification of a read-only value attempted"
|
||||||
my $unshare_flags = CLONE_NEWUSER;
|
my $unshare_flags = CLONE_NEWUSER;
|
||||||
|
@ -1351,6 +1354,9 @@ sub main() {
|
||||||
}
|
}
|
||||||
} elsif ($options->{mode} eq 'unshare') {
|
} elsif ($options->{mode} eq 'unshare') {
|
||||||
if (!test_unshare()) {
|
if (!test_unshare()) {
|
||||||
|
if ($EFFECTIVE_USER_ID == 0) {
|
||||||
|
print STDERR "I: cannot use unshare mode when executing as root\n";
|
||||||
|
}
|
||||||
my $procfile = '/proc/sys/kernel/unprivileged_userns_clone';
|
my $procfile = '/proc/sys/kernel/unprivileged_userns_clone';
|
||||||
open(my $fh, '<', $procfile) or die "failed to open $procfile: $!";
|
open(my $fh, '<', $procfile) or die "failed to open $procfile: $!";
|
||||||
chomp(my $content = do { local $/; <$fh> });
|
chomp(my $content = do { local $/; <$fh> });
|
||||||
|
|
Loading…
Reference in a new issue