[CRIU] [PATCH 1/3] security: check additional groups,v5

Ruslan Kuprieiev kupruser at gmail.com
Wed Aug 6 06:22:27 PDT 2014 

Hi Christopher,

this is a bit unexpected issue for me=).
Could you provide more info about your case?
Are you using something like /etc/nsswitch.conf?

06.08.2014 16:04, Christopher Covington пишет:
> Hi,
>
> This change breaks `criu check` and `criu dump` for me because I don't have an
> /etc/passwd.
>
> On 07/14/2014 02:24 PM, Ruslan Kuprieiev wrote:
>> Currently, we only check if process gids match primary gid of user.
>> But process and user have additional groups too. So lets:
>>       1) check that process rgid,egid and sgid are in the user's grouplist.
>>       2) on restore check that user has all groups from the images.
>> --- a/security.c
>> +++ b/security.c
>> @@ -1,14 +1,23 @@
>>   #include <unistd.h>
>> +#include <pwd.h>
>> +#include <grp.h>
>> +#include <limits.h>
>> +#include <stdlib.h>
>> +#include <string.h>
>> +
>>   #include "crtools.h"
>>   #include "proc_parse.h"
>>   #include "log.h"
>> +#include "xmalloc.h"
>> +#include "bug.h"
>>   
>>   #include "protobuf/creds.pb-c.h"
>>   
>>   /*
>> - * UID and GID of user requesting for C/R
>> + * UID, GID and groups of user requesting for C/R
>>    */
>>   static unsigned int cr_uid, cr_gid;
>> +static unsigned int cr_ngroups, *cr_groups;
>>   
>>   /*
>>    * Setup what user is requesting for dump (via rpc or using
>> @@ -17,11 +26,36 @@ static unsigned int cr_uid, cr_gid;
>>    * access to. (Or implement some trickier security policy).
>>    */
>>   
>> -void restrict_uid(unsigned int uid, unsigned int gid)
>> +int restrict_uid(unsigned int uid, unsigned int gid)
>>   {
>> -	pr_info("Restrict C/R with %u:%u uid\n", uid, gid);
>> +	struct passwd *pwd;
>> +	unsigned int buf[NGROUPS_MAX];
>> +	int nbuf;
>> +
>> +	pr_info("Restrict C/R with %u:%u uid:gid\n", uid, gid);
>>   	cr_uid = uid;
>>   	cr_gid = gid;
>> +
>> +	pwd = getpwuid(uid);
>> +	if (!pwd) {
>> +		pr_perror("Can't get password file entry");
>> +		return -1;
>> +	}
> Could CRIU just revert to the old behavior rather than exiting if /etc/passwd
> doesn't exist?
>
> Thanks,
> Christopher
>

More information about the CRIU mailing list