[lxc-devel] [lxc/lxc] 274f48: utils: add uid, gid, group convenience wrappers
GitHub
noreply at github.com
Wed Jan 18 23:04:13 UTC 2017
Branch: refs/heads/stable-2.0
Home: https://github.com/lxc/lxc
Commit: 274f480f8419a80e6626cf4abe7984e87d639aeb
https://github.com/lxc/lxc/commit/274f480f8419a80e6626cf4abe7984e87d639aeb
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2017-01-18 (Wed, 18 Jan 2017)
Changed paths:
M src/lxc/utils.c
M src/lxc/utils.h
Log Message:
-----------
utils: add uid, gid, group convenience wrappers
This commit adds lxc_switch_uid_gid() which allows to switch the uid and gid of
a process via setuid() and setgid() and lxc_setgroups() which allows to set
groups via setgroups(). The main advantage is that they nicely log the switches
they perform.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: a5828a51503b913c79a501db8b7371326e8dfa56
https://github.com/lxc/lxc/commit/a5828a51503b913c79a501db8b7371326e8dfa56
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2017-01-18 (Wed, 18 Jan 2017)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
start: fix execute and improve setgroups() calls
lxc_execute() and lxc-execute where broken when a user tried to switch to a
non-root uid/gid. This prevented necessary setup operations like mounting the
rootfs which require root in the user namespace. This commit separates
switching to root in the user namespace from switching to the requested uid/gid
by lxc_execute().
This should be safe: Once we switched to root in the user namespace via
setuid() and then switch to a non-root uid/gid in the user namespace for
lxc_execute() via setuid() we cannot regain root privileges again. So we can
only make us safer (Unless I forget about some very intricate user namespace
nonsense; which is not as unlikely as I try to make it sound.).
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 3bce0fe96d3648f783ddb8b1c962bf5ac7269cfa
https://github.com/lxc/lxc/commit/3bce0fe96d3648f783ddb8b1c962bf5ac7269cfa
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2017-01-18 (Wed, 18 Jan 2017)
Changed paths:
M src/lxc/caps.c
M src/lxc/caps.h
Log Message:
-----------
caps: add lxc_cap_is_set()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 3e14d7594a271140ce2a921b058c1ec3ea3e99d8
https://github.com/lxc/lxc/commit/3e14d7594a271140ce2a921b058c1ec3ea3e99d8
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2017-01-18 (Wed, 18 Jan 2017)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
start: check for CAP_SETGID before setgroups()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 2bce26ed17d9ca3bcc14e4e0e6c31c1d6525378f
https://github.com/lxc/lxc/commit/2bce26ed17d9ca3bcc14e4e0e6c31c1d6525378f
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2017-01-18 (Wed, 18 Jan 2017)
Changed paths:
M src/lxc/tools/lxc_start.c
Log Message:
-----------
tools/lxc-start: remove c->is_defined(c) check
We do not check here whether the container is defined, because we support
volatile containers. Which means the container does not need to be created for
it to be started. You can just pass a configuration file as argument and start
the container right away.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 1caa57e6b2db972c261d5143f2cd6774a422f660
https://github.com/lxc/lxc/commit/1caa57e6b2db972c261d5143f2cd6774a422f660
Author: Evgeni Golov <evgeni at debian.org>
Date: 2017-01-18 (Wed, 18 Jan 2017)
Changed paths:
M config/init/sysvinit/lxc-containers.in
Log Message:
-----------
add cgroupfs-mount to Should-Start/Stop sysvinit LSB headers
otherwise init might try to start the containers before cgroupfs was
mounted.
Debian-Bug: https://bugs.debian.org/850212
Signed-off-by: Evgeni Golov <evgeni at debian.org>
Compare: https://github.com/lxc/lxc/compare/9d1d5bcad28d...1caa57e6b2db
More information about the lxc-devel
mailing list