diff options
Diffstat (limited to 'sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch')
| -rw-r--r-- | sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch b/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch new file mode 100644 index 000000000000..340424eb12e3 --- /dev/null +++ b/sys-apps/shadow/files/shadow-4.2.1-verbose-error-when-uid-doesnt-match.patch @@ -0,0 +1,76 @@ +From: Hank Leininger <hlein@korelogic.com> +Date: Mon, 6 Apr 2015 08:22:48 -0500 +Subject: [PATCH] Expand the error message when newuidmap / newgidmap do not + like the user/group ownership of their target process. + +Currently the error is just: + +newuidmap: Target [pid] is owned by a different user + +With this patch it will be like: + +newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99 + +Why is this useful? Well, in my case... + +The grsecurity kernel-hardening patch includes an option to make parts +of /proc unreadable, such as /proc/pid/ dirs for processes not owned by +the current uid. This comes with an option to make /proc/pid/ +directories readable by a specific gid; sysadmins and the like are then +put into that group so they can see a full 'ps'. + +This means that the check in new[ug]idmap fails, as in the above quoted +error - /proc/[targetpid] is owned by root, but the group is 99 so that +users in group 99 can see the process. + +Some Googling finds dozens of people hitting this problem, but not +*knowing* that they have hit this problem, because the errors and +circumstances are non-obvious. + +Some graceful way of handling this and not failing, will be next ;) But +in the meantime it'd be nice to have new[ug]idmap emit a more useful +error, so that it's easier to troubleshoot. + +Thanks! + +Signed-off-by: Hank Leininger <hlein@korelogic.com> +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +--- + src/newgidmap.c | 6 ++++-- + src/newuidmap.c | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/newgidmap.c b/src/newgidmap.c +index a532b45..451c6a6 100644 +--- a/src/newgidmap.c ++++ b/src/newgidmap.c +@@ -161,8 +161,10 @@ int main(int argc, char **argv) + (getgid() != pw->pw_gid) || + (pw->pw_uid != st.st_uid) || + (pw->pw_gid != st.st_gid)) { +- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), +- Prog, target); ++ fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), ++ Prog, target, ++ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, ++ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); + return EXIT_FAILURE; + } + +diff --git a/src/newuidmap.c b/src/newuidmap.c +index 5150078..9c8bc1b 100644 +--- a/src/newuidmap.c ++++ b/src/newuidmap.c +@@ -161,8 +161,10 @@ int main(int argc, char **argv) + (getgid() != pw->pw_gid) || + (pw->pw_uid != st.st_uid) || + (pw->pw_gid != st.st_gid)) { +- fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ), +- Prog, target); ++ fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ), ++ Prog, target, ++ (unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid, ++ (unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid); + return EXIT_FAILURE; + } + |