[lxc-devel] [PATCH] lxc-download: Detect unpriv created by real root
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Feb 26 19:44:29 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> This adds yet another case in the in_userns function detecting the case
> where an unprivileged container is created by the real uid 0, in which
> case we want to share the system wide cache but still use the
> unprivileged templates and unpack method.
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> templates/lxc-download.in | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/templates/lxc-download.in b/templates/lxc-download.in
> index 53b06e7..732bd97 100644
> --- a/templates/lxc-download.in
> +++ b/templates/lxc-download.in
> @@ -142,8 +142,11 @@ gpg_validate() {
>
> in_userns() {
> [ -e /proc/self/uid_map ] || { echo no; return; }
> - line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
> - [ "$line" = "0 0 4294967295" ] && { echo no; return; }
> + awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map | while read line; do
> + [ "$line" = "0 0 4294967295" ] && { echo no; return; }
> + echo $line | grep -q " 0 1$" && { echo userns-root; return; }
> + done
> +
> [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \
> { echo userns-root; return; }
> echo yes
> --
> 1.9.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list