[lxc-devel] [PATCH] Move back setcap for lxc-init

Daniel Lezcano dlezcano at fr.ibm.com
Sun Mar 22 23:17:46 UTC 2009


Guido Trotter wrote:
> On Sun, Mar 22, 2009 at 10:24 PM, Daniel Lezcano <dlezcano at fr.ibm.com> wrote:
>> Guido Trotter wrote:
>>> Putting setcap cap_sys_admin=ep $(libexecdir)/lxc-init in the
>>> install-libexecPROGRAMS: overrides the default version of the target,
>>> making lxc-init not actually installed anymore. Removing the overridden
>>> target, and putting the setcap back where it was, in install-exec-local,
>>> just with the correct path.
>>>
>>> Signed-off-by: Guido Trotter <ultrotter at quaqua.net>
>>> ---
>>>  src/lxc/Makefile.am |    5 ++---
>>>  1 files changed, 2 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
>>> index 28b7ac4..c2c33dd 100644
>>> --- a/src/lxc/Makefile.am
>>> +++ b/src/lxc/Makefile.am
>>> @@ -128,9 +128,6 @@ lxc_restart_LDADD = liblxc.la
>>>  lxc_version_SOURCES = lxc_version.c
>>>  lxc_version_LDADD = liblxc.la
>>>
>>> -install-libexecPROGRAMS:
>>> -        setcap cap_sys_admin=ep $(libexecdir)/lxc-init
>>> -
>>>  install-exec-local:
>>>        - at export PATH=$$PATH:/sbin:/usr/sbin && \
>>>         mkdir -p $(localstatedir) && \
>>> @@ -140,6 +137,8 @@ install-exec-local:
>>>         setcap
>>> cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep
>>> \
>>>                $(bindir)/lxc-execute && \
>>>                \
>>> +        setcap cap_sys_admin=ep $(libexecdir)/lxc-init && \
>>> +               \
>>>         setcap
>>> cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep
>>> \
>>>                $(bindir)/lxc-start && \
>>>                \
>> Well I tried this before but it looks like the lxc-init is not yet installed
>> when we are trying to set the capabilty.
>> You can check this by doing 'make uninstall install'
>>
>> I am wondering if creating a script to set these capabilities and call it at
>> a post install rule won't be better.
>>  - the script can be reused in the different package templates (eg.
>> lxc.spec.in)
> 
> and debian/postinst, +1 for this option!! :)
> 
>>  - called from the Makefile
> 
> optionally, possibly! (so for debian builds I can disable it at
> ./configure time, and it will still be possible to call it at package
> install time, but not at package build/make install time)
> 
>>  - and called manually from the shell
>>
> 
> Sure, works for me.. :) Should this go in libexec too?

Yes maybe and may be the script should do a little more and make 
possible to set the capability and to remove them if the admin wants to 
make the lxc tools available only for root.

I am not a security expert, IMHO the file capabilities used with lxc 
solve a lot of security problems otherwise we have to be root to create 
a namespace and we know that leads to the evil setuid root. (eg. ping).
In the other hand an anonymous user can create its own network stack and 
possibly mess with the outside world. Giving the ability to remove these 
capabilities is worth IMO.





More information about the lxc-devel mailing list