[Pkg-shadow-devel] [PATCH] new?idmap: verbose error when uid/gid do not match

Fri Apr 3 21:24:09 UTC 2015

Quoting Hank Leininger (hlein at korelogic.com):
> Below is a patch that expands the error message when newuidmap /
> newgidmap do not like the user/group ownership of their target process.
> 
> Currently the error is just:
> 
> newuidmap: Target [pid] is owned by a different user
> 
> With this patch it will be like:
> 
> newuidmap: Target [pid] is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:99
> 
> Why is this useful?  Well, in my case...
> 
> The grsecurity kernel-hardening patch includes an option to make parts
> of /proc unreadable, such as /proc/pid/ dirs for processes not owned by
> the current uid.  This comes with an option to make /proc/pid/
> directories readable by a specific gid; sysadmins and the like are then
> put into that group so they can see a full 'ps'.
> 
> This means that the check in new[ug]idmap fails, as in the above quoted
> error - /proc/[targetpid] is owned by root, but the group is 99 so that
> users in group 99 can see the process.
> 
> Some Googling finds dozens of people hitting this problem, but not
> *knowing* that they have hit this problem, because the errors and
> circumstances are non-obvious.
> 
> Some graceful way of handling this and not failing, will be next ;)  But
> in the meantime it'd be nice to have new[ug]idmap emit a more useful
> error, so that it's easier to troubleshoot.
> 
> Thanks!
> 
> Signed-off-by: Hank Leininger <hlein at korelogic.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
> 
> diff -urP shadow-4.2.1.orig/src/newgidmap.c shadow-4.2.1/src/newgidmap.c
> --- shadow-4.2.1.orig/src/newgidmap.c	2014-03-01 13:59:51.000000000 -0500
> +++ shadow-4.2.1/src/newgidmap.c	2015-03-25 00:37:39.074144574 -0400
> @@ -160,8 +160,10 @@
>  	    (getgid() != pw->pw_gid) ||
>  	    (pw->pw_uid != st.st_uid) ||
>  	    (pw->pw_gid != st.st_gid)) {
> -		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
> -			Prog, target);
> +		fprintf(stderr, _( "%s: Target %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
> +			Prog, target,
> +			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
> +			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
>  		return EXIT_FAILURE;
>  	}
>  
> diff -urP shadow-4.2.1.orig/src/newuidmap.c shadow-4.2.1/src/newuidmap.c
> --- shadow-4.2.1.orig/src/newuidmap.c	2014-03-01 13:59:51.000000000 -0500
> +++ shadow-4.2.1/src/newuidmap.c	2015-03-25 00:36:56.138141710 -0400
> @@ -160,8 +160,10 @@
>  	    (getgid() != pw->pw_gid) ||
>  	    (pw->pw_uid != st.st_uid) ||
>  	    (pw->pw_gid != st.st_gid)) {
> -		fprintf(stderr, _( "%s: Target %u is owned by a different user\n" ),
> -			Prog, target);
> +		fprintf(stderr, _( "%s: Target process %u is owned by a different user: uid:%lu pw_uid:%lu st_uid:%lu, gid:%lu pw_gid:%lu st_gid:%lu\n" ),
> +			Prog, target,
> +			(unsigned long int)getuid(), (unsigned long int)pw->pw_uid, (unsigned long int)st.st_uid,
> +			(unsigned long int)getgid(), (unsigned long int)pw->pw_gid, (unsigned long int)st.st_gid);
>  		return EXIT_FAILURE;
>  	}
>  

> _______________________________________________
> Pkg-shadow-devel mailing list
> Pkg-shadow-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-shadow-devel