--- src/sexec.c.orig 2016-06-01 15:12:38.000000000 +0100 +++ src/sexec.c 2016-06-08 20:12:26.305999334 +0100 @@ -99,10 +99,12 @@ int lockfile_fd; int retval = 0; int bind_mount_writable = 0; - uid_t uid = getuid(); - gid_t gid = getgid(); + int gid_list_count; + uid_t uid; + gid_t gid; + gid_t *gid_list; pid_t namespace_fork_pid = 0; - struct passwd *pw = getpwuid(uid); + struct passwd *pw; //****************************************************************************// @@ -115,6 +117,17 @@ openlog("Singularity", LOG_CONS | LOG_NDELAY, LOG_LOCAL0); + // Get all user/group info + uid = getuid(); + gid = getgid(); + gid_list_count = getgroups(0, NULL); + gid_list = (gid_t *) malloc(sizeof(gid_t) * gid_list_count); + if ( getgroups(gid_list_count, gid_list) < 0 ) { + fprintf(stderr, "ABORT: Could not obtain current supplementary group list: %s\n", strerror(errno)); + return(255); + } + pw = getpwuid(uid); + // Check to make sure we are installed correctly if ( seteuid(0) < 0 ) { fprintf(stderr, "ABORT: Check installation, must be performed by root.\n"); @@ -617,6 +630,10 @@ fprintf(stderr, "ABORT: failed enter CONTAINERIMAGE: %s\n", containerpath); return(255); } + if ( chdir("/") < 0 ) { + fprintf(stderr, "ABORT: Could not chdir after chroot to /: %s\n", strerror(errno)); + return(1); + } //****************************************************************************// @@ -641,6 +658,10 @@ // Drop all privledges for good //****************************************************************************// + if ( setgroups(gid_list_count, gid_list) < 0 ) { + fprintf(stderr, "ABORT: Could not reset supplementary group list: %s\n", strerror(errno)); + return(255); + } if ( setregid(gid, gid) < 0 ) { fprintf(stderr, "ABORT: Could not dump real and effective group privledges!\n"); return(255); @@ -661,7 +682,6 @@ return(1); } -//TODO: Fix logic so that we use cwd_fd for OS dirs if ( is_dir(cwd) == 0 ) { if ( chdir(cwd) < 0 ) { fprintf(stderr, "ABORT: Could not chdir to: %s\n", cwd);