[lxc-devel] [PATCH 1/1] fix root-owned unpriv containers

Stéphane Graber stgraber at ubuntu.com
Sun Sep 14 04:42:22 UTC 2014 

On Sun, Sep 14, 2014 at 04:38:30AM +0000, Serge Hallyn wrote:
> lxc_map_ids was always using newuidmap if it existed.  We don't want
> to use it if we start as root.

This was actually done on purpose to force everyone with a recent
version of shadow to set proper ranges for root in /etc/subuid and
/etc/subgid to avoid potential clashes at a later point when adding new
users.

> Note that when /var/lib/lxc is 700, root still cannot start containers
> there, because the subuid will not be able to read the configuration
> file to start the container.  Root can work around that by using another
> lxcpath, i.e. /opt/lxc.  (We may want to talk about ways to fix this)
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
>  src/lxc/conf.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 5e61c35..6fc85e1 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -3429,15 +3429,15 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
>  	enum idtype type;
>  	char *buf = NULL, *pos, *cmdpath = NULL;
>  
> -	cmdpath = on_path("newuidmap", NULL);
> -	if (cmdpath) {
> -		use_shadow = 1;
> -		free(cmdpath);
> -	}
> -
> -	if (!use_shadow && geteuid()) {
> -		ERROR("Missing newuidmap/newgidmap");
> -		return -1;
> +	if (geteuid()) {
> +		cmdpath = on_path("newuidmap", NULL);
> +		if (cmdpath) {
> +			use_shadow = 1;
> +			free(cmdpath);
> +		} else {
> +			ERROR("Missing newuidmap/newgidmap");
> +			return -1;
> +		}
>  	}
>  
>  	for(type = ID_TYPE_UID; type <= ID_TYPE_GID; type++) {
> -- 
> 2.1.0
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140914/b072b475/attachment.sig>

More information about the lxc-devel mailing list