In user namespaces where an unprivileged user is mapped as root and root
is unmapped, setuid bits have no effect. However setuid root
executables like mount are still usable *in the namespace* as the user
already has the required privileges. This commit detects the situation
where the wrapper gained no privileges that the parent process did not
already have and in this case does less sanity checking. In short there
is no need to be picky since the parent already can execute the foo.real
executable themselves.
Details:
man 7 user_namespaces:
Set-user-ID and set-group-ID programs
When a process inside a user namespace executes a set-user-ID
(set-group-ID) program, the process's effective user (group) ID
inside the namespace is changed to whatever value is mapped for
the user (group) ID of the file. However, if either the user or
the group ID of the file has no mapping inside the namespace, the
set-user-ID (set-group-ID) bit is silently ignored: the new
program is executed, but the process's effective user (group) ID
is left unchanged. (This mirrors the semantics of executing a
set-user-ID or set-group-ID program that resides on a filesystem
that was mounted with the MS_NOSUID flag, as described in
mount(2).)
The effect of the setuid bit is that the real user id is preserved and
the effective and set user ids are changed to the owner of the wrapper.
We detect that no privilege was gained by checking that euid == suid
== ruid. In this case we stop checking that euid == owner of the
wrapper file.
As a reminder here are the values of euid, ruid, suid, stat.st_uid and
stat.st_mode & S_ISUID in various cases when running a setuid 42 executable as user 1000:
Normal case:
ruid=1000 euid=42 suid=42
setuid=2048, st_uid=42
nosuid mount:
ruid=1000 euid=1000 suid=1000
setuid=2048, st_uid=42
inside unshare -rm:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534
inside unshare -rm, on a suid mount:
ruid=0 euid=0 suid=0
setuid=2048, st_uid=65534
As 3bb3859 bumped the default PHP version to 8.2, the snipe-it package
has been pinned to PHP 8.1. This commit changes the php package used in
the module to the one pinned by snipe-it.
Currently systemd prints `Starting X11 Server` in the journal, which completely
misled me into searching why my wayland system was starting an X server.
Turns out that what is started is actually the display manager,
so I think it's better to call it like that in the description.
Unfortunately the config is not compatible; data itself looks like it was compatible
from an up to date python ankisyncd but I wouldn't assume anything with the older
service (which didn't work for me with either ankidroid or recent desktop version)
Currently the database service (mysql/postgresql) is required by the
gitea service. If none of them exists on the same machine as gitea it
will refuse to start. With this change it is only required if
createDatabase was set to true.
This commit creates a nixos module for static-web-server.
The module uses upstream systemd units to start static-web-server.
It also includes options for configuring static-web-server.