[lxc-devel] [PATCH] Fix unprivileged containers started by root (v2)

Serge Hallyn serge.hallyn at ubuntu.com
Thu Feb 27 22:05:52 UTC 2014 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> This change makes it possible to create unprivileged containers as root.
> They will be stored in the usual system wide location, use the usual
> system wide cache but will be running using a uid/gid map.
> 
> This also updates lxc_usernsexec to use the same function as the rest of
> LXC, centralizing all the userns switch in a single function.
> 
> That function now detects the presence of newuidmap and newgidmap on the
> system, if they are present, they will be used for containers created as
> either user or root. If they're not and the user isn't root, an error is
> shown. If they're not and the user is root, LXC will directly set the
> uid_map and gid_map values.
> 
> All that should allow for a consistent experience as well as supporting
> distributions that don't yet ship newuidmap/newgidmap.
> 
> To make things simpler in the future, an helper function "on_path" is
> also introduced and used to detect the presence of newuidmap and
> newgidmap.
> 
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Great, thanks.

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

Only one comment,

> +bool on_path(char *cmd) {
> +	char *path = NULL;
> +	char *entry = NULL;
> +	char cmdpath[MAXPATHLEN];
> +	int ret;
> +
> +	path = getenv("PATH");
> +	if (!path)
> +		return false;
> +
> +	path = strdup(path);
> +	if (!path)
> +		return false;
> +
> +	entry = strtok(path, ":");

As this is a general helper, it should be thread-safe,
so we need to use strtok_r  here.

> +	while (entry) {
> +		ret = snprintf(cmdpath, MAXPATHLEN, "%s/%s", entry, cmd);
> +
> +		if (ret < 0 || ret >= MAXPATHLEN)
> +			goto next_loop;
> +
> +		if (access(cmdpath, X_OK) == 0) {
> +			free(path);
> +			return true;
> +		}
> +
> +next_loop:
> +		entry = strtok(NULL, ":");
> +	}
> +
> +	free(path);
> +	return false;
> +}
> diff --git a/src/lxc/utils.h b/src/lxc/utils.h
> index dcf0e34..978f586 100644
> --- a/src/lxc/utils.h
> +++ b/src/lxc/utils.h
> @@ -278,3 +278,4 @@ uint64_t fnv_64a_buf(void *buf, size_t len, uint64_t hval);
>  #endif
>  
>  int detect_shared_rootfs(void);
> +bool on_path(char *cmd);
> -- 
> 1.9.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list