summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sys-utils/unshare.13
-rw-r--r--sys-utils/unshare.c7
2 files changed, 10 insertions, 0 deletions
diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1
index 31fcfde74..06e4ac205 100644
--- a/sys-utils/unshare.1
+++ b/sys-utils/unshare.1
@@ -47,6 +47,9 @@ Unshare the IPC namespace,
.TP
.BR \-n , " \-\-net"
Unshare the network namespace.
+.SH NOTES
+The unshare command drops potential privileges before executing the
+target program. This allows to setuid unshare.
.SH SEE ALSO
unshare(2), clone(2)
.SH BUGS
diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
index df75d1776..6b6177c54 100644
--- a/sys-utils/unshare.c
+++ b/sys-utils/unshare.c
@@ -113,6 +113,13 @@ int main(int argc, char *argv[])
if(-1 == unshare(unshare_flags))
err(EXIT_FAILURE, _("unshare failed"));
+ /* drop potential root euid/egid if we had been setuid'd */
+ if (setgid(getgid()) < 0)
+ err(EXIT_FAILURE, _("cannot set group id"));
+
+ if (setuid(getuid()) < 0)
+ err(EXIT_FAILURE, _("cannot set user id"));
+
execvp(argv[optind], argv + optind);
err(EXIT_FAILURE, _("exec %s failed"), argv[optind]);
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2024-07-21 01:59:24 +0200