[lxc-devel] [PATCH 1/1] warn about insufficient permissions

Stéphane Graber stgraber at ubuntu.com
Mon Feb 10 23:03:06 UTC 2014 

On Mon, Feb 10, 2014 at 04:57:08PM -0600, Serge Hallyn wrote:
> With this patch, if an unprivileged user has $HOME 700 or
> 750 and does
> 
> lxc-start -n c1
> 
> he'll see an error like:
> 
> lxc_container: Permission denied - could not access /home/serge.  Please grant it 'x' access, or add an ACL for t he container root.
> 
> (This addresses bug pad.lv/1277466)
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/conf.c | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 7ac1f06..4e25432 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -753,6 +753,31 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
>  	return 0;
>  }
>  
> +static void print_top_failing_dir(const char *path)
> +{
> +	size_t len = strlen(path);
> +	char *copy = alloca(len+1), *p, *e, saved;
> +	strcpy(copy, path);
> +
> +	p = copy;
> +	e = copy + len;
> +	while (p < e) {
> +		while (p < e && *p == '/') p++;
> +		while (p < e && *p != '/') p++;
> +		if (p >= e)
> +			return;
> +		saved = *p;
> +		*p = '\0';
> +		if (access(copy, X_OK)) {
> +			SYSERROR("could not access %s.  Please grant it 'x' " \
> +			      "access, or add an ACL for the container root.",
> +			      copy);
> +			return;
> +		}
> +		*p = saved;
> +	}
> +}
> +
>  static int mount_rootfs(const char *rootfs, const char *target, const char *options)
>  {
>  	char absrootfs[MAXPATHLEN];
> @@ -1546,6 +1571,11 @@ static int setup_rootfs(struct lxc_conf *conf)
>  		return -1;
>  	}
>  
> +	if (access(rootfs->path, R_OK)) {
> +		print_top_failing_dir(rootfs->path);
> +		return -1;
> +	}
> +
>  	if (detect_shared_rootfs()) {
>  		if (chroot_into_slave(conf)) {
>  			ERROR("Failed to chroot into slave /");
> -- 
> 1.9.rc1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140210/20f5d731/attachment.pgp>

More information about the lxc-devel mailing list