Gitlab 现已全面支持 git over ssh 与 git over https。通过 HTTPS 访问请配置带有 read_repository / write_repository 权限的 Personal access token。通过 SSH 端口访问请使用 22 端口或 13389 端口。如果使用CAS注册了账户但不知道密码，可以自行至设置中更改；如有其他问题，请发邮件至 service@cra.moe 寻求协助。

Commit 5e4a0847 authored Dec 14, 2012 by Eric W. Biederman

userns: Require CAP_SYS_ADMIN for most uses of setns.



Andy Lutomirski <luto@amacapital.net> found a nasty little bug in
the permissions of setns.  With unprivileged user namespaces it
became possible to create new namespaces without privilege.

However the setns calls were relaxed to only require CAP_SYS_ADMIN in
the user nameapce of the targed namespace.

Which made the following nasty sequence possible.

pid = clone(CLONE_NEWUSER | CLONE_NEWNS);
if (pid == 0) { /* child */
	system("mount --bind /home/me/passwd /etc/passwd");
}
else if (pid != 0) { /* parent */
	char path[PATH_MAX];
	snprintf(path, sizeof(path), "/proc/%u/ns/mnt");
	fd = open(path, O_RDONLY);
	setns(fd, 0);
	system("su -");
}

Prevent this possibility by requiring CAP_SYS_ADMIN
in the current user namespace when joing all but the user namespace.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

parent 520d9eab

fs/namespace.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -2781,7 +2781,8 @@ static int mntns_install(struct nsproxy nsproxy, void ns)
		struct path root;

		if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) \|\|
		!nsown_capable(CAP_SYS_CHROOT))
		!nsown_capable(CAP_SYS_CHROOT) \|\|
		!nsown_capable(CAP_SYS_ADMIN))
		return -EPERM;

		if (fs->users != 1)

ipc/namespace.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -170,7 +170,8 @@ static void ipcns_put(void *ns)
		static int ipcns_install(struct nsproxy nsproxy, void new)
		{
		struct ipc_namespace *ns = new;
		if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
		if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) \|\|
		!nsown_capable(CAP_SYS_ADMIN))
		return -EPERM;

		/* Ditch state from the old ipc namespace */

kernel/pid_namespace.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -325,7 +325,8 @@ static int pidns_install(struct nsproxy nsproxy, void ns)
		struct pid_namespace *active = task_active_pid_ns(current);
		struct pid_namespace ancestor, new = ns;

		if (!ns_capable(new->user_ns, CAP_SYS_ADMIN))
		if (!ns_capable(new->user_ns, CAP_SYS_ADMIN) \|\|
		!nsown_capable(CAP_SYS_ADMIN))
		return -EPERM;

		/*

kernel/utsname.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -113,7 +113,8 @@ static int utsns_install(struct nsproxy nsproxy, void new)
		{
		struct uts_namespace *ns = new;

		if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
		if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN) \|\|
		!nsown_capable(CAP_SYS_ADMIN))
		return -EPERM;

		get_uts_ns(ns);

net/core/net_namespace.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -649,7 +649,8 @@ static int netns_install(struct nsproxy nsproxy, void ns)
		{
		struct net *net = ns;

		if (!ns_capable(net->user_ns, CAP_SYS_ADMIN))
		if (!ns_capable(net->user_ns, CAP_SYS_ADMIN) \|\|
		!nsown_capable(CAP_SYS_ADMIN))
		return -EPERM;

		put_net(nsproxy->net_ns);

CRA Git | Maintained and supported by SUSTech CRA and CCSE