[lxc-devel] [PATCH] chmod container dir to 0770 (v2)
Stéphane Graber
stgraber at ubuntu.com
Fri Aug 22 18:57:58 UTC 2014
On Thu, Aug 21, 2014 at 04:02:18PM +0000, Serge Hallyn wrote:
> This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs
> and running setuid-root applications to get write access to u1's
> container rootfs.
>
> v2: set umask to 002 for the mkdir. Otherwise if umask happens to be,
> say, 022, then user does not have write permissions under the container
> dir and creation of $containerdir/partial file will fail.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/lxccontainer.c | 43 ++++++++++++++++++++++++++++++-------------
> 1 file changed, 30 insertions(+), 13 deletions(-)
>
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 0cf21ce..0686b52 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -733,6 +733,31 @@ static bool lxcapi_stop(struct lxc_container *c)
> return ret == 0;
> }
>
> +static int do_create_container_dir(const char *path, struct lxc_conf *conf)
> +{
> + int ret = -1, lasterr;
> + char *p = alloca(strlen(path)+1);
> + mode_t mask = umask(0002);
> + ret = mkdir(path, 0770);
> + lasterr = errno;
> + umask(mask);
> + errno = lasterr;
> + if (ret) {
> + if (errno == EEXIST)
> + ret = 0;
> + else {
> + SYSERROR("failed to create container path %s", path);
> + return -1;
> + }
> + }
> + strcpy(p, path);
> + if (!lxc_list_empty(&conf->id_map) && chown_mapped_root(p, conf) != 0) {
> + ERROR("Failed to chown container dir");
> + ret = -1;
> + }
> + return ret;
> +}
> +
> /*
> * create the standard expected container dir
> */
> @@ -750,13 +775,7 @@ static bool create_container_dir(struct lxc_container *c)
> free(s);
> return false;
> }
> - ret = mkdir(s, 0755);
> - if (ret) {
> - if (errno == EEXIST)
> - ret = 0;
> - else
> - SYSERROR("failed to create container path for %s", c->name);
> - }
> + ret = do_create_container_dir(s, c->lxc_conf);
> free(s);
> return ret == 0;
> }
> @@ -2703,17 +2722,15 @@ sudo lxc-clone -o o1 -n n1 -s -L|-fssize fssize -v|--vgname vgname \
> only rootfs gets converted (copied/snapshotted) on clone.
> */
>
> -static int create_file_dirname(char *path)
> +static int create_file_dirname(char *path, struct lxc_conf *conf)
> {
> char *p = strrchr(path, '/');
> - int ret;
> + int ret = -1;
>
> if (!p)
> return -1;
> *p = '\0';
> - ret = mkdir(path, 0755);
> - if (ret && errno != EEXIST)
> - SYSERROR("creating container path %s", path);
> + ret = do_create_container_dir(path, conf);
> *p = '/';
> return ret;
> }
> @@ -2757,7 +2774,7 @@ static struct lxc_container *lxcapi_clone(struct lxc_container *c, const char *n
> goto out;
> }
>
> - ret = create_file_dirname(newpath);
> + ret = create_file_dirname(newpath, c->lxc_conf);
> if (ret < 0 && errno != EEXIST) {
> ERROR("Error creating container dir for %s", newpath);
> goto out;
> --
> 2.1.0.rc1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140822/63ae075f/attachment.sig>
More information about the lxc-devel
mailing list