[lxc-devel] [PATCH] use mkdir_p instead of mkdir at do_create_container_dir

Serge Hallyn serge.hallyn at ubuntu.com
Wed May 13 13:29:12 UTC 2015 

Quoting S.Çağlar Onur (caglar at 10ur.org):
> Otherwise trying to create an unprivileged container just after installing LXC fails with following;
> 
> lxc_container: lxccontainer.c: do_create_container_dir: 772 No such file or directory - failed to create container path /home/caglar/.local/share/lxc/rubik
> 
> $ ./create
> 2015/05/12 14:37:19 Creating container...
> lxc_container: lxccontainer.c: do_create_container_dir: 772 No such file or directory - failed to create container path /home/caglar/.local/share/lxc/rubik
> 2015/05/12 14:37:19 ERROR: creating the container failed
> 
> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
> ---
>  src/lxc/lxccontainer.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index e8bade3..b0c33cc 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -850,7 +850,7 @@ static int do_create_container_dir(const char *path, struct lxc_conf *conf)
>  	int ret = -1, lasterr;
>  	char *p = alloca(strlen(path)+1);
>  	mode_t mask = umask(0002);
> -	ret = mkdir(path, 0770);
> +	ret = mkdir_p(path, 0770);

Ok sorry I thought this had already been discussed - but I think this should
be 0750, not 0770.

It might be worth having a discussion to come up with a better way.  Currently
for unprivileged containers we make

	.local/share/lxc 755, owned by your uid and gid
	.local/share/lxc/container 755, owned by container root uid and your host gid

Note that since no files are setuid-(host)-root, making .local/share/lxc
non-world-readable is not as crucial as it is for /var/lib/lxc.

I think it would be worth detecting whether acls are supported, and, if so,
switch to:

	.local/share/lxc 700
		owned by your uid and gid
		rx acls added for each root uid
	.local/share/lxc/container 770
		owned by container root uid and your gid

>  	lasterr = errno;
>  	umask(mask);
>  	errno = lasterr;
> -- 
> 2.1.4
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list