Bugzilla – Attachment 3105 Details for
Bug 2813
sshd fails to start in user namespaces when the gid for tty is not mapped
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to support user namespaces
0001-sshpty-Only-warn-if-uid-of-pts-device-matches-and-gi.patch (text/plain), 1.58 KB, created by
Oliver Freyermuth
on 2017-12-17 03:46:06 AEDT
(
hide
)
Description:
Patch to support user namespaces
Filename:
MIME Type:
Creator:
Oliver Freyermuth
Created:
2017-12-17 03:46:06 AEDT
Size:
1.58 KB
patch
obsolete
>From 6d4d496b799bee12ba41af8f033f5c38d20d87b8 Mon Sep 17 00:00:00 2001 >From: Oliver Freyermuth <o.freyermuth@googlemail.com> >Date: Sat, 16 Dec 2017 17:41:40 +0100 >Subject: [PATCH] sshpty: Only warn if uid of pts device matches and gid is > overflow gid. > >This is the case in user namespace containers. >The user's uid/gid pair can be mapped to only a single uid/gid pair, >any other gid is mapped to the overflow uid/gid by the kernel. > >Signed-off-by: Oliver Freyermuth <o.freyermuth@googlemail.com> >--- > sshpty.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/sshpty.c b/sshpty.c >index fe2fb5aa..86af2ed4 100644 >--- a/sshpty.c >+++ b/sshpty.c >@@ -202,7 +202,9 @@ pty_setowner(struct passwd *pw, const char *tty) > /* > * Change owner and mode of the tty as required. > * Warn but continue if filesystem is read-only and the uids match/ >- * tty is owned by root. >+ * tty is owned by root, also warn but continue >+ * if the uids match and the gid is the overflow gid 0xFFFE, >+ * which is the case in user namespaces. > */ > if (stat(tty, &st)) > fatal("stat(%.100s) failed: %.100s", tty, >@@ -219,6 +221,10 @@ pty_setowner(struct passwd *pw, const char *tty) > debug("chown(%.100s, %u, %u) failed: %.100s", > tty, (u_int)pw->pw_uid, (u_int)gid, > strerror(errno)); >+ else if (st.st_uid == pw->pw_uid && st.st_gid == 0xFFFE) >+ debug("chown(%.100s, %u, %u) failed: %.100s", >+ tty, (u_int)pw->pw_uid, (u_int)gid, >+ strerror(errno)); > else > fatal("chown(%.100s, %u, %u) failed: %.100s", > tty, (u_int)pw->pw_uid, (u_int)gid, >-- >2.13.6 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3105">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2813
: 3105