Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change std::process to drop supplementary groups based on CAP_SETGID #121650

Merged
merged 1 commit into from
Mar 15, 2024
Merged

change std::process to drop supplementary groups based on CAP_SETGID #121650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions library/std/src/os/unix/process.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ pub trait CommandExt: Sealed {
/// Sets the child process's user ID. This translates to a
/// `setuid` call in the child process. Failure in the `setuid`
/// call will cause the spawn to fail.
///
/// # Notes
///
/// This will also trigger a call to `setgroups(0, NULL)` in the child
/// process if no groups have been specified.
/// This removes supplementary groups that might have given the child
/// unwanted permissions.
#[stable(feature = "rust1", since = "1.0.0")]
fn uid(&mut self, id: UserId) -> &mut process::Command;

Expand Down
14 changes: 11 additions & 3 deletions library/std/src/sys/pal/unix/process/process_unix.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,14 +330,22 @@ impl Command {
if let Some(u) = self.get_uid() {
// When dropping privileges from root, the `setgroups` call
// will remove any extraneous groups. We only drop groups
// if the current uid is 0 and we weren't given an explicit
// if we have CAP_SETGID and we weren't given an explicit
// set of groups. If we don't call this, then even though our
// uid has dropped, we may still have groups that enable us to
// do super-user things.
//FIXME: Redox kernel does not support setgroups yet
#[cfg(not(target_os = "redox"))]
if libc::getuid() == 0 && self.get_groups().is_none() {
cvt(libc::setgroups(0, crate::ptr::null()))?;
if self.get_groups().is_none() {
let res = cvt(libc::setgroups(0, crate::ptr::null()));
if let Err(e) = res {
// Here we ignore the case of not having CAP_SETGID.
// An alternative would be to require CAP_SETGID (in
// addition to CAP_SETUID) for setting the UID.
if e.raw_os_error() != Some(libc::EPERM) {
return Err(e.into());
}
}
Comment on lines +341 to +348
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per #88716 (comment), I think we should fail the call entirely if we were not able to reset the groups after a uid change. Otherwise we could end up in a situation where the uid changed but kept the old groups.

This should not be a problem in practice because CAP_SETGID and CAP_SETUID will almost always come together.

}
cvt(libc::setuid(u as uid_t))?;
}
Expand Down
Loading