make sure that unshare mode cannot be run as superuser

This commit is contained in:
Johannes 'josch' Schauer 2018-09-24 20:07:46 +02:00
parent ec9ceb2115
commit cd39a44934
Signed by untrusted user: josch
GPG key ID: F2CBA5C78FBD83E1

View file

@ -88,6 +88,9 @@ sub get_tar_compress_options($) {
} }
sub test_unshare() { sub test_unshare() {
if ($EFFECTIVE_USER_ID == 0) {
return 0;
}
# arguments to syscalls have to be stored in their own variable or # arguments to syscalls have to be stored in their own variable or
# otherwise we will get "Modification of a read-only value attempted" # otherwise we will get "Modification of a read-only value attempted"
my $unshare_flags = CLONE_NEWUSER; my $unshare_flags = CLONE_NEWUSER;
@ -1351,6 +1354,9 @@ sub main() {
} }
} elsif ($options->{mode} eq 'unshare') { } elsif ($options->{mode} eq 'unshare') {
if (!test_unshare()) { if (!test_unshare()) {
if ($EFFECTIVE_USER_ID == 0) {
print STDERR "I: cannot use unshare mode when executing as root\n";
}
my $procfile = '/proc/sys/kernel/unprivileged_userns_clone'; my $procfile = '/proc/sys/kernel/unprivileged_userns_clone';
open(my $fh, '<', $procfile) or die "failed to open $procfile: $!"; open(my $fh, '<', $procfile) or die "failed to open $procfile: $!";
chomp(my $content = do { local $/; <$fh> }); chomp(my $content = do { local $/; <$fh> });