diff options
-rw-r--r-- | sys-utils/unshare.1 | 3 | ||||
-rw-r--r-- | sys-utils/unshare.c | 7 |
2 files changed, 10 insertions, 0 deletions
diff --git a/sys-utils/unshare.1 b/sys-utils/unshare.1 index 31fcfde74..06e4ac205 100644 --- a/sys-utils/unshare.1 +++ b/sys-utils/unshare.1 @@ -47,6 +47,9 @@ Unshare the IPC namespace, .TP .BR \-n , " \-\-net" Unshare the network namespace. +.SH NOTES +The unshare command drops potential privileges before executing the +target program. This allows to setuid unshare. .SH SEE ALSO unshare(2), clone(2) .SH BUGS diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c index df75d1776..6b6177c54 100644 --- a/sys-utils/unshare.c +++ b/sys-utils/unshare.c @@ -113,6 +113,13 @@ int main(int argc, char *argv[]) if(-1 == unshare(unshare_flags)) err(EXIT_FAILURE, _("unshare failed")); + /* drop potential root euid/egid if we had been setuid'd */ + if (setgid(getgid()) < 0) + err(EXIT_FAILURE, _("cannot set group id")); + + if (setuid(getuid()) < 0) + err(EXIT_FAILURE, _("cannot set user id")); + execvp(argv[optind], argv + optind); err(EXIT_FAILURE, _("exec %s failed"), argv[optind]); |