Commit 7657d904 authored Dec 03, 2008 by Serge E. Hallyn Committed by James Morris Dec 08, 2008

user namespaces: require cap_set{ug}id for CLONE_NEWUSER



While ideally CLONE_NEWUSER will eventually require no
privilege, the required permission checks are currently
not there.  As a result, CLONE_NEWUSER has the same effect
as a setuid(0)+setgroups(1,"0").  While we already require
CAP_SYS_ADMIN, requiring CAP_SETUID and CAP_SETGID seems
appropriate.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: James Morris <jmorris@namei.org>

parent c37bbb0f

kernel/fork.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1344,7 +1344,8 @@ long do_fork(unsigned long clone_flags,
		/* hopefully this check will go away when userns support is
		* complete
		*/
		if (!capable(CAP_SYS_ADMIN))
		if (!capable(CAP_SYS_ADMIN) \|\| !capable(CAP_SETUID) \|\|
		!capable(CAP_SETGID))
		return -EPERM;
		}