[lxc-devel] [PATCH 1/1] fix root-owned unpriv containers
Serge Hallyn
serge.hallyn at ubuntu.com
Sun Sep 14 04:38:30 UTC 2014
lxc_map_ids was always using newuidmap if it existed. We don't want
to use it if we start as root.
Note that when /var/lib/lxc is 700, root still cannot start containers
there, because the subuid will not be able to read the configuration
file to start the container. Root can work around that by using another
lxcpath, i.e. /opt/lxc. (We may want to talk about ways to fix this)
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/conf.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5e61c35..6fc85e1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3429,15 +3429,15 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
enum idtype type;
char *buf = NULL, *pos, *cmdpath = NULL;
- cmdpath = on_path("newuidmap", NULL);
- if (cmdpath) {
- use_shadow = 1;
- free(cmdpath);
- }
-
- if (!use_shadow && geteuid()) {
- ERROR("Missing newuidmap/newgidmap");
- return -1;
+ if (geteuid()) {
+ cmdpath = on_path("newuidmap", NULL);
+ if (cmdpath) {
+ use_shadow = 1;
+ free(cmdpath);
+ } else {
+ ERROR("Missing newuidmap/newgidmap");
+ return -1;
+ }
}
for(type = ID_TYPE_UID; type <= ID_TYPE_GID; type++) {
--
2.1.0
More information about the lxc-devel
mailing list