[lxc-devel] [PATCH 1/1] chmod container dir to 0750

Stéphane Graber stgraber at ubuntu.com
Fri Aug 15 20:44:21 UTC 2014 

Sure, I'll update the subject.

On Fri, Aug 15, 2014 at 08:41:19PM +0000, Serge Hallyn wrote:
> So, Stéphane, when you apply this, can you change the subject to
> '0770'?  Or if you prefer I resend please let me know.
> 
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > On Thu, 14 Aug 2014 18:29:55 +0000
> > Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > 
> > > This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs
> > > and running setuid-root applications to get write access to u1's
> > > container rootfs.
> > 
> > Hey Serge,
> > 
> > Subject says 0750 but the code is 0770. I assume we can't just make
> > chown_mapped_root() take a const char * because its visible and you
> > want this to apply to -stable? At any rate,
> > 
> > Acked-by: Dwight Engen <dwight.engen at oracle.com>
> > 
> > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > > ---
> > >  src/lxc/lxccontainer.c | 39 ++++++++++++++++++++++++++-------------
> > >  1 file changed, 26 insertions(+), 13 deletions(-)
> > > 
> > > diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> > > index 38197d6..d76acc4 100644
> > > --- a/src/lxc/lxccontainer.c
> > > +++ b/src/lxc/lxccontainer.c
> > > @@ -733,6 +733,27 @@ static bool lxcapi_stop(struct lxc_container *c)
> > >  	return ret == 0;
> > >  }
> > >  
> > > +static int do_create_container_dir(const char *path, struct lxc_conf
> > > *conf) +{
> > > +	int ret = -1;
> > > +	char *p = alloca(strlen(path)+1);
> > > +	ret = mkdir(path, 0770);
> > > +	if (ret) {
> > > +		if (errno == EEXIST)
> > > +			ret = 0;
> > > +		else {
> > > +			SYSERROR("failed to create container path
> > > %s", path);
> > > +			return -1;
> > > +		}
> > > +	}
> > > +	strcpy(p, path);
> > > +	if (!lxc_list_empty(&conf->id_map) && chown_mapped_root(p,
> > > conf) != 0) {
> > > +		ERROR("Failed to chown container dir");
> > > +		ret = -1;
> > > +	}
> > > +	return ret;
> > > +}
> > > +
> > >  /*
> > >   * create the standard expected container dir
> > >   */
> > > @@ -750,13 +771,7 @@ static bool create_container_dir(struct
> > > lxc_container *c) free(s);
> > >  		return false;
> > >  	}
> > > -	ret = mkdir(s, 0755);
> > > -	if (ret) {
> > > -		if (errno == EEXIST)
> > > -			ret = 0;
> > > -		else
> > > -			SYSERROR("failed to create container path
> > > for %s", c->name);
> > > -	}
> > > +	ret = do_create_container_dir(s, c->lxc_conf);
> > >  	free(s);
> > >  	return ret == 0;
> > >  }
> > > @@ -2703,17 +2718,15 @@ sudo lxc-clone -o o1 -n n1 -s -L|-fssize
> > > fssize -v|--vgname vgname \ only rootfs gets converted
> > > (copied/snapshotted) on clone. */
> > >  
> > > -static int create_file_dirname(char *path)
> > > +static int create_file_dirname(char *path, struct lxc_conf *conf)
> > >  {
> > >  	char *p = strrchr(path, '/');
> > > -	int ret;
> > > +	int ret = -1;
> > >  
> > >  	if (!p)
> > >  		return -1;
> > >  	*p = '\0';
> > > -	ret = mkdir(path, 0755);
> > > -	if (ret && errno != EEXIST)
> > > -		SYSERROR("creating container path %s", path);
> > > +        ret = do_create_container_dir(path, conf);
> > >  	*p = '/';
> > >  	return ret;
> > >  }
> > > @@ -2756,7 +2769,7 @@ static struct lxc_container
> > > *lxcapi_clone(struct lxc_container *c, const char *n goto out;
> > >  	}
> > >  
> > > -	ret = create_file_dirname(newpath);
> > > +	ret = create_file_dirname(newpath, c->lxc_conf);
> > >  	if (ret < 0 && errno != EEXIST) {
> > >  		ERROR("Error creating container dir for %s",
> > > newpath); goto out;
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140815/9a026969/attachment.sig>

More information about the lxc-devel mailing list