[lxc-devel] [PATCH] lxc-download: Detect unpriv created by real root

Serge Hallyn serge.hallyn at ubuntu.com
Wed Feb 26 19:44:29 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> This adds yet another case in the in_userns function detecting the case
> where an unprivileged container is created by the real uid 0, in which
> case we want to share the system wide cache but still use the
> unprivileged templates and unpack method.
> 
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  templates/lxc-download.in | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/templates/lxc-download.in b/templates/lxc-download.in
> index 53b06e7..732bd97 100644
> --- a/templates/lxc-download.in
> +++ b/templates/lxc-download.in
> @@ -142,8 +142,11 @@ gpg_validate() {
>  
>  in_userns() {
>      [ -e /proc/self/uid_map ] || { echo no; return; }
> -    line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
> -    [ "$line" = "0 0 4294967295" ] && { echo no; return; }
> +    awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map | while read line; do
> +        [ "$line" = "0 0 4294967295" ] && { echo no; return; }
> +        echo $line | grep -q " 0 1$" && { echo userns-root; return; }
> +    done
> +
>      [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \
>          { echo userns-root; return; }
>      echo yes
> -- 
> 1.9.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list