mirror of
https://github.com/shadow-maint/shadow.git
synced 2024-12-05 07:53:34 +08:00
newuidmap/newgidmap: install with file capabilities
do not install newuidmap/newgidmap as suid binaries. Running these tools with the same euid as the owner of the user namespace to configure requires only CAP_SETUID and CAP_SETGID instead of requiring CAP_SYS_ADMIN when it is installed as a suid binary. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
parent
ff8b1ebafa
commit
70971457b7
14
configure.ac
14
configure.ac
@ -600,6 +600,19 @@ if test "$enable_acct_tools_setuid" != "no"; then
|
||||
fi
|
||||
AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
|
||||
|
||||
|
||||
AC_ARG_WITH(fcaps,
|
||||
[AC_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
|
||||
[with_fcaps=$withval], [with_fcaps=no])
|
||||
AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
|
||||
|
||||
if test "x$with_fcaps" = "xyes"; then
|
||||
AC_CHECK_PROGS(capcmd, "setcap")
|
||||
if test "x$capcmd" = "x" ; then
|
||||
AC_MSG_ERROR([setcap command not available])
|
||||
fi
|
||||
fi
|
||||
|
||||
AC_SUBST(LIBSKEY)
|
||||
AC_SUBST(LIBMD)
|
||||
if test "$with_skey" = "yes"; then
|
||||
@ -684,4 +697,5 @@ echo " SHA passwords encryption: $with_sha_crypt"
|
||||
echo " nscd support: $with_nscd"
|
||||
echo " sssd support: $with_sssd"
|
||||
echo " subordinate IDs support: $enable_subids"
|
||||
echo " use file caps: $with_fcaps"
|
||||
echo
|
||||
|
@ -61,8 +61,10 @@ if ACCT_TOOLS_SETUID
|
||||
suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
|
||||
endif
|
||||
if ENABLE_SUBIDS
|
||||
if !FCAPS
|
||||
suidubins += newgidmap newuidmap
|
||||
endif
|
||||
endif
|
||||
|
||||
if WITH_TCB
|
||||
shadowsgidubins = passwd
|
||||
@ -138,3 +140,9 @@ if WITH_TCB
|
||||
chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
|
||||
done
|
||||
endif
|
||||
if ENABLE_SUBIDS
|
||||
if FCAPS
|
||||
setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
|
||||
setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
|
||||
endif
|
||||
endif
|
||||
|
Loading…
Reference in New Issue
Block a user