[lxc-devel] [PATCH 1/1] chmod container dir to 0750
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Aug 15 16:14:20 UTC 2014
Quoting Dwight Engen (dwight.engen at oracle.com):
> On Thu, 14 Aug 2014 18:29:55 +0000
> Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>
> > This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs
> > and running setuid-root applications to get write access to u1's
> > container rootfs.
>
> Hey Serge,
>
> Subject says 0750 but the code is 0770. I assume we can't just make
Oh, yeah. Which it needs to be so that your group can still create
files under the container.
> chown_mapped_root() take a const char * because its visible and you
> want this to apply to -stable? At any rate,
Sigh, it may be doable, but chown_mapped_root() passes that char*
into exec which gcc then complains about. It may just be a question
of getting const onto the right part of the declaration of the
argvs, but my two first tries failed so i did this.
> Acked-by: Dwight Engen <dwight.engen at oracle.com>
>
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> > src/lxc/lxccontainer.c | 39 ++++++++++++++++++++++++++-------------
> > 1 file changed, 26 insertions(+), 13 deletions(-)
> >
> > diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> > index 38197d6..d76acc4 100644
> > --- a/src/lxc/lxccontainer.c
> > +++ b/src/lxc/lxccontainer.c
> > @@ -733,6 +733,27 @@ static bool lxcapi_stop(struct lxc_container *c)
> > return ret == 0;
> > }
> >
> > +static int do_create_container_dir(const char *path, struct lxc_conf
> > *conf) +{
> > + int ret = -1;
> > + char *p = alloca(strlen(path)+1);
> > + ret = mkdir(path, 0770);
> > + if (ret) {
> > + if (errno == EEXIST)
> > + ret = 0;
> > + else {
> > + SYSERROR("failed to create container path
> > %s", path);
> > + return -1;
> > + }
> > + }
> > + strcpy(p, path);
> > + if (!lxc_list_empty(&conf->id_map) && chown_mapped_root(p,
> > conf) != 0) {
> > + ERROR("Failed to chown container dir");
> > + ret = -1;
> > + }
> > + return ret;
> > +}
> > +
> > /*
> > * create the standard expected container dir
> > */
> > @@ -750,13 +771,7 @@ static bool create_container_dir(struct
> > lxc_container *c) free(s);
> > return false;
> > }
> > - ret = mkdir(s, 0755);
> > - if (ret) {
> > - if (errno == EEXIST)
> > - ret = 0;
> > - else
> > - SYSERROR("failed to create container path
> > for %s", c->name);
> > - }
> > + ret = do_create_container_dir(s, c->lxc_conf);
> > free(s);
> > return ret == 0;
> > }
> > @@ -2703,17 +2718,15 @@ sudo lxc-clone -o o1 -n n1 -s -L|-fssize
> > fssize -v|--vgname vgname \ only rootfs gets converted
> > (copied/snapshotted) on clone. */
> >
> > -static int create_file_dirname(char *path)
> > +static int create_file_dirname(char *path, struct lxc_conf *conf)
> > {
> > char *p = strrchr(path, '/');
> > - int ret;
> > + int ret = -1;
> >
> > if (!p)
> > return -1;
> > *p = '\0';
> > - ret = mkdir(path, 0755);
> > - if (ret && errno != EEXIST)
> > - SYSERROR("creating container path %s", path);
> > + ret = do_create_container_dir(path, conf);
> > *p = '/';
> > return ret;
> > }
> > @@ -2756,7 +2769,7 @@ static struct lxc_container
> > *lxcapi_clone(struct lxc_container *c, const char *n goto out;
> > }
> >
> > - ret = create_file_dirname(newpath);
> > + ret = create_file_dirname(newpath, c->lxc_conf);
> > if (ret < 0 && errno != EEXIST) {
> > ERROR("Error creating container dir for %s",
> > newpath); goto out;
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list