--- src/sexec.c.orig 2016-06-01 15:12:38.000000000 +0100
+++ src/sexec.c 2016-06-08 20:12:26.305999334 +0100
@@ -99,10 +99,12 @@
int lockfile_fd;
int retval = 0;
int bind_mount_writable = 0;
- uid_t uid = getuid();
- gid_t gid = getgid();
+ int gid_list_count;
+ uid_t uid;
+ gid_t gid;
+ gid_t *gid_list;
pid_t namespace_fork_pid = 0;
- struct passwd *pw = getpwuid(uid);
+ struct passwd *pw;
//****************************************************************************//
@@ -115,6 +117,17 @@
openlog("Singularity", LOG_CONS | LOG_NDELAY, LOG_LOCAL0);
+ // Get all user/group info
+ uid = getuid();
+ gid = getgid();
+ gid_list_count = getgroups(0, NULL);
+ gid_list = (gid_t *) malloc(sizeof(gid_t) * gid_list_count);
+ if ( getgroups(gid_list_count, gid_list) < 0 ) {
+ fprintf(stderr, "ABORT: Could not obtain current supplementary group list: %s\n", strerror(errno));
+ return(255);
+ }
+ pw = getpwuid(uid);
+
// Check to make sure we are installed correctly
if ( seteuid(0) < 0 ) {
fprintf(stderr, "ABORT: Check installation, must be performed by root.\n");
@@ -617,6 +630,10 @@
fprintf(stderr, "ABORT: failed enter CONTAINERIMAGE: %s\n", containerpath);
return(255);
}
+ if ( chdir("/") < 0 ) {
+ fprintf(stderr, "ABORT: Could not chdir after chroot to /: %s\n", strerror(errno));
+ return(1);
+ }
//****************************************************************************//
@@ -641,6 +658,10 @@
// Drop all privledges for good
//****************************************************************************//
+ if ( setgroups(gid_list_count, gid_list) < 0 ) {
+ fprintf(stderr, "ABORT: Could not reset supplementary group list: %s\n", strerror(errno));
+ return(255);
+ }
if ( setregid(gid, gid) < 0 ) {
fprintf(stderr, "ABORT: Could not dump real and effective group privledges!\n");
return(255);
@@ -661,7 +682,6 @@
return(1);
}
-//TODO: Fix logic so that we use cwd_fd for OS dirs
if ( is_dir(cwd) == 0 ) {
if ( chdir(cwd) < 0 ) {
fprintf(stderr, "ABORT: Could not chdir to: %s\n", cwd);