From 2a408e8cc696651b74038de2ff2f3fe136dfe46d Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Mon, 5 Dec 2016 15:38:22 -0500 Subject: [PATCH] Only --unshare-user automatically if we're not root https://github.com/projectatomic/bubblewrap/pull/122 introduced a regression for the case of rpm-ostree running bubblewrap on CentOS 7. Previously the `is_privileged` variable captured whether or not our uid was 0, now it captures whether we're setuid. This bit of code enabled `--unshare-user` automatically if we're not privileged, but we suddenly started doing that for running as real uid 0 (CAP_SYS_ADMIN), which we don't want, since on CentOS/RHEL 7 today userns isn't even available to root without a module parameter and reboot. So, let's just do this only if not setuid *and* we're not uid 0 (really we should check "have CAP_SYS_ADMIN" but eh). Closes: #123 Approved by: alexlarsson --- bubblewrap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bubblewrap.c b/bubblewrap.c index 10e520b..6e04459 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -1631,8 +1631,9 @@ main (int argc, parse_args (&argc, &argv); - /* We have to do this if we weren't installed setuid, so let's just DWIM */ - if (!is_privileged) + /* We have to do this if we weren't installed setuid (and we're not + * root), so let's just DWIM */ + if (!is_privileged && getuid () != 0) opt_unshare_user = TRUE; if (opt_unshare_user_try && -- 2.9.3