No need to update /proc/pid/setgroups if euid==0

author Jagger <robert@swiecki.net>

Sun, 28 Feb 2016 01:41:57 +0000 (02:41 +0100)

committer Jagger <robert@swiecki.net>

Sun, 28 Feb 2016 01:41:57 +0000 (02:41 +0100)
author Jagger <robert@swiecki.net>
Sun, 28 Feb 2016 01:41:57 +0000 (02:41 +0100)
committer Jagger <robert@swiecki.net>
Sun, 28 Feb 2016 01:41:57 +0000 (02:41 +0100)
diff --git a/contain.c b/contain.c

index 49503e96c8e67340bf5baf205409b40243fe303f..bd9718cf2a92f86c550f6b9aba7f11ab4367d517 100644 (file)
--- a/contain.c
+++ b/contain.c
@@ -47,6 +47,14 @@
  
  static bool containSetGroups(pid_t pid)
  {
+       /*
+        * No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to uid_map/gid_map
+        * will succeed anyway
+        */
+       if (geteuid() == 0) {
+               return true;
+       }
+
         char fname[PATH_MAX];
         snprintf(fname, sizeof(fname), "/proc/%d/setgroups", pid);
         const char *denystr = "deny";
author	Jagger <robert@swiecki.net>
	Sun, 28 Feb 2016 01:41:57 +0000 (02:41 +0100)
committer	Jagger <robert@swiecki.net>
	Sun, 28 Feb 2016 01:41:57 +0000 (02:41 +0100)