From ecc9f8d02b493483ea7bdf6c777cd1f23c7266b4 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Oct 21 2016 12:50:42 +0000 Subject: When doing chroot * we should not drop any capabilities for root * we should not clear bounding capabilities for other users * we should probably retain the supplement groups --- diff --git a/openssh-7.2p2-chroot-capabilities.patch b/openssh-7.2p2-chroot-capabilities.patch index 69a5342..ea71cb9 100644 --- a/openssh-7.2p2-chroot-capabilities.patch +++ b/openssh-7.2p2-chroot-capabilities.patch @@ -63,7 +63,7 @@ index 6cfcba4..80d2806 100644 platform_setusercontext(pw); -@@ -1619,10 +1624,24 @@ do_setusercontext(struct passwd *pw) +@@ -1619,10 +1624,25 @@ do_setusercontext(struct passwd *pw) pw->pw_uid); chroot_path = percent_expand(tmp, "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL); @@ -71,7 +71,8 @@ index 6cfcba4..80d2806 100644 + /* drop suid soon, retain SYS_CHROOT capability */ + capng_clear(CAPNG_SELECT_BOTH); + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT); -+ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0) ++ if (pw->pw_uid != 0 && ++ (dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_INIT_SUPP_GRP)) != 0) + logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid); +#endif #ifdef WITH_SELINUX