1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
From: Hank Leininger <hlein@korelogic.com>
Date: Mon, 6 Apr 2015 08:22:48 -0500
Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not
like the user/group ownership of their target process.
Currently the error is just:
newuidmap: Target [pid] is owned by a different user
With this patch it will be like:
newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
Why is this useful? Well, in my case...
The grsecurity kernel-hardening patch includes an option to make parts
of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
the current uid. This comes with an option to make /proc/pid/
directories readable by a specific gid; sysadmins and the like are then
put into that group so they can see a full 'ps'.
This means that the check in new[ug]idmap fails, as in the above quoted
error - /proc/[targetpid] is owned by root, but the group is 99 so that
users in group 99 can see the process.
Some Googling finds dozens of people hitting this problem, but not
*knowing* that they have hit this problem, because the errors and
circumstances are non-obvious.
Some graceful way of handling this and not failing, will be next ;) But
in the meantime it'd be nice to have new[ug]idmap emit a more useful
error, so that it's easier to troubleshoot.
Thanks!
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
src/newgidmap.c | 6 ++++--
src/newuidmap.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/newgidmap.c b/src/newgidmap.c
index a532b45..451c6a6 100644
--- a/src/newgidmap.c
+++ b/src/newgidmap.c
@@ -161,8 +161,10 @@ int main(int argc, char **argv)
(getgid() != pw->pw_gid) ||
(pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) {
- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
- Prog, target);
+ fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
+ Prog, target,
+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
return EXIT_FAILURE;
}
diff --git a/src/newuidmap.c b/src/newuidmap.c
index 5150078..9c8bc1b 100644
--- a/src/newuidmap.c
+++ b/src/newuidmap.c
@@ -161,8 +161,10 @@ int main(int argc, char **argv)
(getgid() != pw->pw_gid) ||
(pw->pw_uid != st.st_uid) ||
(pw->pw_gid != st.st_gid)) {
- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
- Prog, target);
+ fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
+ Prog, target,
+ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
+ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
return EXIT_FAILURE;
}
|
GitWeb
