diff options
| author | Elliot Roberts <Elliot0000101@gmail.com> | 2022-04-12 07:46:07 -0700 |
|---|---|---|
| committer | Pavel Grigorenko <grigorenkopv@ya.ru> | 2024-02-26 23:11:28 +0300 |
| commit | 3a6af84fca1b41614887748e9fdb0e2b2a13fb96 (patch) | |
| tree | 9fa28510cf7d4f32c6b03b9018d76d57436a2356 | |
| parent | 829308e9af1a1f55540d2c8b0e007e1d0cb9c8c6 (diff) | |
| download | rust-3a6af84fca1b41614887748e9fdb0e2b2a13fb96.tar.gz rust-3a6af84fca1b41614887748e9fdb0e2b2a13fb96.zip | |
change std::process to drop supplementary groups based on CAP_SETGID
| -rw-r--r-- | library/std/src/os/unix/process.rs | 7 | ||||
| -rw-r--r-- | library/std/src/sys/pal/unix/process/process_unix.rs | 14 |
2 files changed, 18 insertions, 3 deletions
diff --git a/library/std/src/os/unix/process.rs b/library/std/src/os/unix/process.rs index e45457b2e42..72ea54bd772 100644 --- a/library/std/src/os/unix/process.rs +++ b/library/std/src/os/unix/process.rs @@ -39,6 +39,13 @@ pub trait CommandExt: Sealed { /// Sets the child process's user ID. This translates to a /// `setuid` call in the child process. Failure in the `setuid` /// call will cause the spawn to fail. + /// + /// # Notes + /// + /// This will also trigger a call to `setgroups(0, NULL)` in the child + /// process if no groups have been specified. + /// This removes supplementary groups that might have given the child + /// unwanted permissions. #[stable(feature = "rust1", since = "1.0.0")] fn uid(&mut self, id: UserId) -> &mut process::Command; diff --git a/library/std/src/sys/pal/unix/process/process_unix.rs b/library/std/src/sys/pal/unix/process/process_unix.rs index 97cbd1929d3..f017d39d804 100644 --- a/library/std/src/sys/pal/unix/process/process_unix.rs +++ b/library/std/src/sys/pal/unix/process/process_unix.rs @@ -330,14 +330,22 @@ impl Command { if let Some(u) = self.get_uid() { // When dropping privileges from root, the `setgroups` call // will remove any extraneous groups. We only drop groups - // if the current uid is 0 and we weren't given an explicit + // if we have CAP_SETGID and we weren't given an explicit // set of groups. If we don't call this, then even though our // uid has dropped, we may still have groups that enable us to // do super-user things. //FIXME: Redox kernel does not support setgroups yet #[cfg(not(target_os = "redox"))] - if libc::getuid() == 0 && self.get_groups().is_none() { - cvt(libc::setgroups(0, crate::ptr::null()))?; + if self.get_groups().is_none() { + let res = cvt(libc::setgroups(0, crate::ptr::null())); + if let Err(e) = res { + // Here we ignore the case of not having CAP_SETGID. + // An alternative would be to require CAP_SETGID (in + // addition to CAP_SETUID) for setting the UID. + if e.raw_os_error() != Some(libc::EPERM) { + return Err(e.into()); + } + } } cvt(libc::setuid(u as uid_t))?; } |