[lxc-devel] [PATCH 1/1] chown_mapped_root: don't try chgrp if we don't own the file

Stéphane Graber stgraber at ubuntu.com
Thu Jul 3 19:14:05 UTC 2014 

On Thu, Jul 03, 2014 at 01:57:57PM -0500, Serge Hallyn wrote:
> New kernels require that to have privilege over a file, your
> userns must have the old and new groups mapped into your userns.
> So if a file is owned by our uid but another groupid, then we
> have to chgrp the file to our primary group before we can try
> (in a new user namespace) to chgrp the file to a group id in the
> namespace.
> 
> But in some cases (when cloning) the file may already be mapped
> into the container.  Now we cannot chgrp the file to our own
> primary group - and we don't have to.
> 
> So detect that case.  Only try to chgrp the file to our primary
> group if the file is owned by our euid (i.e. not by the container)
> and the owning group is not already mapped into the container by
> default.
> 
> With this patch, I'm again able to both create and clone containers
> with no errors again.
> 
> Reported-by: S.Çağlar Onur <caglar at 10ur.org>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/conf.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index dd92dae..66108bb 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -3574,9 +3574,14 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
>  			return -1;
>  		}
>  
> -		// a trick for chgrp the file that is not owned by oneself
> -		if (chown(path, -1, hostgid) < 0) {
> -			ERROR("Error chgrp %s", path);
> +		/*
> +		 * A file has to be group-owned by a gid mapped into the
> +		 * container, or the container won't be privileged over it.
> +		 */
> +		if (sb.st_uid == geteuid() &&
> +				mapped_hostid(sb.st_gid, conf, ID_TYPE_GID) < 0 &&
> +				chown(path, -1, hostgid) < 0) {
> +			ERROR("Failed chgrping %s", path);
>  			return -1;
>  		}
>  
> -- 
> 2.0.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140703/6b43ee8c/attachment.sig>

More information about the lxc-devel mailing list