newuidmap/newgidmap: install with file capabilities

do not install newuidmap/newgidmap as suid binaries.  Running these
tools with the same euid as the owner of the user namespace to
configure requires only CAP_SETUID and CAP_SETGID instead of requiring
CAP_SYS_ADMIN when it is installed as a suid binary.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

diff --git a/configure.ac b/configure.ac
index aaedf52933ba6d97bbd7a586426aceb72d603d31..c2428056e0fa56ae5b439b3051f7ca0ba0217097 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -600,6 +600,19 @@ if test "$enable_acct_tools_setuid" != "no"; then
 fi
 AM_CONDITIONAL(ACCT_TOOLS_SETUID, test "x$enable_acct_tools_setuid" = "xyes")
 
+
+AC_ARG_WITH(fcaps,
+       [AC_HELP_STRING([--with-fcaps], [use file capabilities instead of suid binaries for newuidmap/newgidmap @<:@default=no@:>@])],
+       [with_fcaps=$withval], [with_fcaps=no])
+AM_CONDITIONAL(FCAPS, test "x$with_fcaps" = "xyes")
+
+if test "x$with_fcaps" = "xyes"; then
+       AC_CHECK_PROGS(capcmd, "setcap")
+       if test "x$capcmd" = "x" ; then
+               AC_MSG_ERROR([setcap command not available])
+       fi
+fi
+
 AC_SUBST(LIBSKEY)
 AC_SUBST(LIBMD)
 if test "$with_skey" = "yes"; then
@@ -684,4 +697,5 @@ echo "      SHA passwords encryption:       $with_sha_crypt"
 echo " nscd support:                   $with_nscd"
 echo " sssd support:                   $with_sssd"
 echo " subordinate IDs support:        $enable_subids"
+echo " use file caps:                  $with_fcaps"
 echo

diff --git a/src/Makefile.am b/src/Makefile.am
index 3c98a8d3636762f1826d5aaae8ac41dd784c68b4..19534dc67cbc2779030a4e607c54bef36c101a65 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -61,8 +61,10 @@ if ACCT_TOOLS_SETUID
 suidubins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
 endif
 if ENABLE_SUBIDS
+if !FCAPS
 suidubins += newgidmap newuidmap
 endif
+endif
 
 if WITH_TCB
 shadowsgidubins = passwd
@@ -138,3 +140,9 @@ if WITH_TCB
                chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
        done
 endif
+if ENABLE_SUBIDS
+if FCAPS
+       setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
+       setcap cap_setgid+ep $(DESTDIR)$(ubindir)/newgidmap
+endif
+endif