From d3b207a0d6c9a9103279ef668d98f66e3ab40134 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 26 Oct 2015 17:20:23 +0100 Subject: [PATCH] Create custom /etc/passwd and /etc/group with minimal content There is no particular reason to leak the entire host passwd and group files, as only the users uid/gid is mapped anyway. If fact, injecting the tty group while also not being allowed to chmod the pty to that group will make grantpt() fail. --- lib/xdg-app-helper.c | 55 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 51 insertions(+), 4 deletions(-) diff --git a/lib/xdg-app-helper.c b/lib/xdg-app-helper.c index 103d2e9b..d1d35fa1 100644 --- a/lib/xdg-app-helper.c +++ b/lib/xdg-app-helper.c @@ -48,6 +48,8 @@ #include #include #include +#include +#include #ifdef ENABLE_SECCOMP #include @@ -516,6 +518,8 @@ typedef enum { FILE_TYPE_REMOUNT, FILE_TYPE_DEVICE, FILE_TYPE_SHM, + FILE_TYPE_ETC_PASSWD, + FILE_TYPE_ETC_GROUP, } file_type_t; typedef enum { @@ -573,8 +577,8 @@ static const create_table_t create[] = { { FILE_TYPE_SYSTEM_SYMLINK, "sbin", 0755, "usr/sbin"}, { FILE_TYPE_SYMLINK, "etc", 0755, "usr/etc", 0, &create_etc_symlink}, { FILE_TYPE_DIR, "etc", 0755, NULL, 0, &create_etc_dir}, - { FILE_TYPE_REGULAR, "etc/passwd", 0755, NULL, 0, &create_etc_dir}, - { FILE_TYPE_REGULAR, "etc/group", 0755, NULL, 0, &create_etc_dir}, + { FILE_TYPE_ETC_PASSWD, "etc/passwd", 0755, NULL, 0, &create_etc_dir}, + { FILE_TYPE_ETC_GROUP, "etc/group", 0755, NULL, 0, &create_etc_dir}, { FILE_TYPE_REGULAR, "etc/resolv.conf", 0755, NULL, 0, &bind_resolv_conf}, { FILE_TYPE_SYMLINK, "etc/resolv.conf", 0755, "/run/user/%1$d/xdg-app-monitor/resolv.conf", 0, &create_monitor_links}, { FILE_TYPE_REGULAR, "etc/machine-id", 0755, NULL, 0, &create_etc_dir}, @@ -618,8 +622,6 @@ static const create_table_t create[] = { /* warning: Don't create any actual files here, as we could potentially write over bind mounts to the system */ static const create_table_t create_post[] = { - { FILE_TYPE_BIND_RO, "etc/passwd", 0444, "/etc/passwd", 0}, - { FILE_TYPE_BIND_RO, "etc/group", 0444, "/etc/group", 0}, { FILE_TYPE_BIND_RO, "etc/machine-id", 0444, "/etc/machine-id", FILE_FLAGS_NON_FATAL}, { FILE_TYPE_BIND_RO, "etc/machine-id", 0444, "/var/lib/dbus/machine-id", FILE_FLAGS_NON_FATAL | FILE_FLAGS_IF_LAST_FAILED}, { FILE_TYPE_BIND_RO, "etc/resolv.conf", 0444, "/etc/resolv.conf", 0, &bind_resolv_conf}, @@ -1273,6 +1275,51 @@ create_files (const create_table_t *create, int n_create, int ignore_shm, const die_with_error ("creating dir %s", name); break; + case FILE_TYPE_ETC_PASSWD: + { + char *content = NULL; + struct passwd *p = getpwuid (uid); + if (p) + { + content = strdup_printf ("%s:x:%d:%d:%s:%s:%s\n" + "nfsnobody:x:65534:65534:Unmapped user:/:/sbin/nologin\n", + p->pw_name, + uid, gid, + p->pw_gecos, + p->pw_dir, + p->pw_shell); + + } + + if (!create_file (name, mode, content)) + die_with_error ("creating file %s", name); + + if (content) + free (content); + } + break; + + case FILE_TYPE_ETC_GROUP: + { + char *content = NULL; + struct group *g = getgrgid (gid); + struct passwd *p = getpwuid (uid); + if (p && g) + { + content = strdup_printf ("%s:x:%d:%s\n" + "nfsnobody:x:65534:\n", + g->gr_name, + gid, p->pw_name); + } + + if (!create_file (name, mode, content)) + die_with_error ("creating file %s", name); + + if (content) + free (content); + } + break; + case FILE_TYPE_REGULAR: if (!create_file (name, mode, NULL)) die_with_error ("creating file %s", name);