[lxc-devel] [lxd/master] fuidshift: expand symlinks to last path component

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 918 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160915/d98656a4/attachment.bin>
-------------- next part --------------
From 0d56d9d3b2fe0e6bf4716611bac8b6fe916341cf Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at canonical.com>
Date: Thu, 15 Sep 2016 11:53:01 +0200
Subject: [PATCH] fuidshift: expand symlinks to last path component

So far doUidshiftIntoContainer() expanded all symlinks in the path it got
passed. This meant, that when the user created symlinks referring to
non-existing files or referring to paths on the host fuidshift would either fail
in the first case or change files on the host. With this commit, we start to
only resolve the path that gets passed to fuidshift up to the last path
component. This should be safe since shiftowner() in shared/util_linux.go will
a) perform another safety check and b) will only change ownership of the symlink
itself.

Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
---
 shared/idmapset_linux.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/shared/idmapset_linux.go b/shared/idmapset_linux.go
index b02a40d..b3d81d6 100644
--- a/shared/idmapset_linux.go
+++ b/shared/idmapset_linux.go
@@ -223,11 +223,13 @@ func GetOwner(path string) (int, int, error) {
 }
 
 func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how string) error {
-	// Expand any symlink in dir and cleanup resulting path
-	dir, err := filepath.EvalSymlinks(dir)
+	// Expand any symlink before the final path component
+	tmp := filepath.Dir(dir)
+	tmp, err := filepath.EvalSymlinks(tmp)
 	if err != nil {
 		return err
 	}
+	dir = filepath.Join(tmp, filepath.Base(dir))
 	dir = strings.TrimRight(dir, "/")
 
 	convert := func(path string, fi os.FileInfo, err error) (e error) {