[lxc-devel] [PATCH] Create lxcpath if it's missing

Serge Hallyn serge.hallyn at ubuntu.com
Mon May 18 17:49:28 UTC 2015


Quoting S.Çağlar Onur (caglar at 10ur.org):
> Hey Serge,
> 
> On Tue, May 12, 2015 at 6:28 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting S.Çağlar Onur (caglar at 10ur.org):
> >> Hey,
> >>
> >> On Tue, May 12, 2015 at 2:43 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> >> > On Tue, May 12, 2015 at 02:27:48PM -0400, S.Çağlar Onur wrote:
> >> >> Otherwise calling list_defined_containers just after installing LXC ends up with the following error
> >> >>
> >> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or directory - opendir on lxcpath
> >> >>
> >> >> $ /home/caglar/go/src/gopkg.in/lxc/go-lxc.v2/examples/list
> >> >> 2015/05/12 14:23:08 Defined containers:
> >> >> lxc: lxccontainer.c: list_defined_containers: 4310 No such file or directory - opendir on lxcpath
> >> >> 2015/05/12 14:23:08
> >> >> 2015/05/12 14:23:08 Active containers:
> >> >> 2015/05/12 14:23:08
> >> >> 2015/05/12 14:23:08 Active and Defined containers:
> >> >> $
> >> >>
> >> >> Signed-off-by: S.Çağlar Onur <caglar at 10ur.org>
> >> >> ---
> >> >>  src/lxc/lxccontainer.c | 5 +++++
> >> >>  1 file changed, 5 insertions(+)
> >> >>
> >> >> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> >> >> index 8999f44..e8bade3 100644
> >> >> --- a/src/lxc/lxccontainer.c
> >> >> +++ b/src/lxc/lxccontainer.c
> >> >> @@ -3965,6 +3965,11 @@ int list_defined_containers(const char *lxcpath, char ***names, struct lxc_conta
> >> >>       if (!lxcpath)
> >> >>               lxcpath = lxc_global_config_value("lxc.lxcpath");
> >> >>
> >> >> +     if (mkdir_p(lxcpath, 0755) < 0) {
> >> >
> >> > I'm not yet sure that we really want to do the mkdir, but the dir
> >> > permission there is wrong, lxcpath should be 700.
> >> >
> >> > The reason for this is to avoid security issues where an unprivileged
> >> > user can traverse through lxcpath and find an old setuid binary with a
> >> > security issue they can use to gain root.
> >>
> >> Hmm I tried 700 first but failed and thought it needs to be 755 cause it tell me
> >>
> >> Permission denied - could not access /home/caglar/.local/share/lxc.
> >> Please grant it 'x' access, or add an ACL for the container root.
> >
> > Yeah no, for unprivileged containers we leave lxcpath 755, and
> > make $lxcpath/$lxcname be 750, owned by the container root and
> > group-owned by owner.
> 
> OK, then unless I miss something else this patch is using the correct
> mode, it's just whether we want mkdir or not?

Hm, no, it is correct for unprivileged containers, but for privileged
containers we do use 700 as Stéphane said.  (The reason being that if there
are any setuid-root binaries with exploits on an un-updated container rootfs,
that kinda sucks - for unprivileged containers, where you'd setuid to uid
100000, not so much)


More information about the lxc-devel mailing list