[lxc-devel] [PATCH 1/1] lxc_map_ids: add a comment
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Sep 15 22:22:16 UTC 2014
(Sent this before in the middle of a thread, sending it separately
so it doesn't get lost)
Explain why we insist that root use newuidmap if it is available.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/conf.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 5e61c35..e61002b 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3429,6 +3429,12 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
enum idtype type;
char *buf = NULL, *pos, *cmdpath = NULL;
+ /*
+ * If newuidmap exists, that is, if shadow is handing out subuid
+ * ranges, then insist that root also reserve ranges in subuid. This
+ * will protected it by preventing another user from being handed the
+ * range by shadow.
+ */
cmdpath = on_path("newuidmap", NULL);
if (cmdpath) {
use_shadow = 1;
--
2.1.0
More information about the lxc-devel
mailing list