[lxc-devel] [lxc/lxc] dbaf55: utils: add uid, gid, group convenience wrappers

GitHub noreply at github.com
Sat Jan 7 16:33:59 UTC 2017 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: dbaf55a35377e1aa497ffc22de528e76c237b0fd
      https://github.com/lxc/lxc/commit/dbaf55a35377e1aa497ffc22de528e76c237b0fd
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2017-01-07 (Sat, 07 Jan 2017)

  Changed paths:
    M src/lxc/utils.c
    M src/lxc/utils.h

  Log Message:
  -----------
  utils: add uid, gid, group convenience wrappers

This commit adds lxc_switch_uid_gid() which allows to switch the uid and gid of
a process via setuid() and setgid() and lxc_setgroups() which allows to set
groups via setgroups(). The main advantage is that they nicely log the switches
they perform.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>


  Commit: d08f8d2f74c7407c40fc80e3878d631bd8f50214
      https://github.com/lxc/lxc/commit/d08f8d2f74c7407c40fc80e3878d631bd8f50214
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2017-01-07 (Sat, 07 Jan 2017)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  start: fix execute and improve setgroups() calls

lxc_execute() and lxc-execute where broken when a user tried to switch to a
non-root uid/gid. This prevented necessary setup operations like mounting the
rootfs which require root in the user namespace. This commit separates
switching to root in the user namespace from switching to the requested uid/gid
by lxc_execute().
This should be safe: Once we switched to root in the user namespace via
setuid() and then switch to a non-root uid/gid in the user namespace for
lxc_execute() via setuid() we cannot regain root privileges again. So we can
only make us safer (Unless I forget about some very intricate user namespace
nonsense; which is not as unlikely as I try to make it sound.).

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>


  Commit: ca364dc0ddac2215a4a28a587b829cf9509b479f
      https://github.com/lxc/lxc/commit/ca364dc0ddac2215a4a28a587b829cf9509b479f
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2017-01-07 (Sat, 07 Jan 2017)

  Changed paths:
    M src/lxc/caps.c
    M src/lxc/caps.h

  Log Message:
  -----------
  caps: add lxc_cap_is_set()

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>


  Commit: 87bf0db03d2a5f06250a21202432769a2eb942a1
      https://github.com/lxc/lxc/commit/87bf0db03d2a5f06250a21202432769a2eb942a1
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2017-01-07 (Sat, 07 Jan 2017)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  start: check for CAP_SETGID before setgroups()

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>


  Commit: e3cca06889392da0c4c3421c18ada3ab98b9491b
      https://github.com/lxc/lxc/commit/e3cca06889392da0c4c3421c18ada3ab98b9491b
  Author: Serge Hallyn <serge at hallyn.com>
  Date:   2017-01-07 (Sat, 07 Jan 2017)

  Changed paths:
    M src/lxc/caps.c
    M src/lxc/caps.h
    M src/lxc/start.c
    M src/lxc/utils.c
    M src/lxc/utils.h

  Log Message:
  -----------
  Merge pull request #1373 from brauner/2016-01-02/fix_execute_and_improve_setgroups

start: fix execute and improve setgroups() calls


Compare: https://github.com/lxc/lxc/compare/4484e6f80c75...e3cca0688939

More information about the lxc-devel mailing list