added check_overflow_uid_gid function

ubuntu · Nov 19, 2023 · 941b339 · 941b339
1 parent 1866d1f
commit 941b339
Showing 1 changed file with 28 additions and 27 deletions.
diff --git a/nss/src/cache/mod.rs b/nss/src/cache/mod.rs
@@ -345,23 +345,34 @@ impl CacheDBBuilder {
         Ok(c)
     }
 
-    fn read_file_as_u32(file_path: &str) -> u32 {
-        match fs::read_to_string(file_path) {
-            Ok(contents) => {
-                match contents.trim().parse::<u32>() {
-                    Ok(num) => num,
-                    Err(err) => {
-                        eprintln!("Parsing to u32 fail: {}", err);
-                        0 // fallback to 0
-                    },
-                }
-            },
-            Err(err) => {
-                eprintln!("error reading file: {}", err);
-                0 // fallback to 0
-            },
-        }
+    /// check_overflow_uid_gid checks if numbers provided matches with kernel overflow values
+    /// this is when we are checking owner of cache db, but are running in a namespace, and false values
+    /// are handed to us.
+    fn check_overflow_uid_gid(filestat_uid: u32, filestat_gid: u32) -> bool {
+
+        let overflowuid_content = match fs::read_to_string("/proc/sys/kernel/overflowuid") {
+            Ok(c) => c,
+            Err(_) => return false,
+        };
+
+        let overflowuid = match overflowuid_content.trim().parse::<u32>() {
+            Ok(n) => n,
+            Err(_) => return false,
+        };
+
+        let overflowgid_content = match fs::read_to_string("/proc/sys/kernel/overflowgid") {
+            Ok(c) => c,
+            Err(_) => return false,
+        };
+
+        let overflowgid = match overflowgid_content.trim().parse::<u32>() {
+            Ok(n) => n,
+            Err(_) => return false,
+        };
+
+        filestat_uid == overflowuid && filestat_gid == overflowgid
     }
+
     /// check_file_permissions checks the database files and compares the current ownership and
     /// permissions with the expected ones.
     fn check_file_permissions(files: &Vec<DbFileInfo>) -> Result<(), CacheError> {
@@ -385,10 +396,8 @@ impl CacheDBBuilder {
 
             // Checks ownership
             if stat.uid() != file.expected_uid || stat.gid() != file.expected_gid {
-                let overflowuid = Self::read_file_as_u32("/proc/sys/kernel/overflowuid");
-                let overflowgid = Self::read_file_as_u32("/proc/sys/kernel/overflowgid");
                 // check and don't fail if the file ownership matches kernel overflow uid/gid values
-                if stat.uid() != overflowuid && stat.gid() != overflowgid {
+                if ! Self::check_overflow_uid_gid(stat.uid(), stat.gid()) {
                     return Err(CacheError::DatabaseError(format!(
                         "invalid ownership for {}, expected {}:{} but got {}:{}",
                         file.path.to_str().unwrap(),
@@ -397,14 +406,6 @@ impl CacheDBBuilder {
                         stat.uid(),
                         stat.gid()
                     )));
-                }else{
-                    debug!("unexpected ownership for {}, expected {}:{} but got {}:{}",
-                           file.path.to_str().unwrap(),
-                           file.expected_uid,
-                           file.expected_gid,
-                           stat.uid(),
-                           stat.gid()
-                           );
                 }
             }
         }