From 9fea618481256122c1bd2a62ec382623b7528865 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Fri, 10 May 2024 18:21:21 +0200
Subject: Revert "examples/chroottar.py: harden against tars with high uids"

This reverts commit a169f51420795a212c3226f455e783ab8ac5cf47.

We really deal with two user namespaces. The initial/parent process maps
the target id range plus the current user id. The child process that
executes the workload only maps the target id range without the current
user id. The child opens the tar file while it still is in the initial
namespace, then unshares and once it only has the subid range mapped, it
performs the extraction. No clamping is necessary at this point. The
parent process maps additionally maps the current id in order to write
the tar file.
---
 examples/chroottar.py | 8 --------
 1 file changed, 8 deletions(-)

(limited to 'examples')

diff --git a/examples/chroottar.py b/examples/chroottar.py
index 30017e5..3c38a97 100755
--- a/examples/chroottar.py
+++ b/examples/chroottar.py
@@ -76,14 +76,6 @@ def main() -> None:
                 for tmem in tarf:
                     if tmem.name.removeprefix("./").startswith("dev/"):
                         continue
-                    # Our namespace has privileged uids allocated high. Hence
-                    # clamp unpacking.
-                    if tmem.uid >= 65536 or tmem.gid >= 65536:
-                        tmem.mode &= ~0o7000
-                    if tmem.uid >= 65536:
-                        tmem.uid = 0
-                    if tmem.gid >= 65536:
-                        tmem.gid = 0
                     tarf.extract(tmem, numeric_owner=True)
             linuxnamespaces.bind_mount(".", "/mnt", recursive=True)
             os.chdir("/mnt")
-- 
cgit v1.2.3