[lxc-devel] [lxc/master] lxc-checkconfig: verify new[ug]idmap are setuid-root

[hallyn on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170314/865e3d89/attachment.bin>
-------------- next part --------------
From a7380366889cfba5856ed20fd1c451bfb5ecc365 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge at hallyn.com>
Date: Tue, 14 Mar 2017 13:16:48 -0500
Subject: [PATCH] lxc-checkconfig: verify new[ug]idmap are setuid-root

---
 src/lxc/tools/lxc-checkconfig.in | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/lxc/tools/lxc-checkconfig.in b/src/lxc/tools/lxc-checkconfig.in
index 61627e0..4182191 100644
--- a/src/lxc/tools/lxc-checkconfig.in
+++ b/src/lxc/tools/lxc-checkconfig.in
@@ -88,6 +88,24 @@ echo -n "Utsname namespace: " && is_enabled CONFIG_UTS_NS
 echo -n "Ipc namespace: " && is_enabled CONFIG_IPC_NS yes
 echo -n "Pid namespace: " && is_enabled CONFIG_PID_NS yes
 echo -n "User namespace: " && is_enabled CONFIG_USER_NS
+if is_set CONFIG_USER_NS; then
+	if type newuidmap > /dev/null 2>&1; then
+		f=`type -P newuidmap`
+		if [ ! -u "${f}" ]; then
+			echo "Warning: newuidmap is not setuid-root"
+		fi
+	else
+		echo "newuidmap is not installed"
+	fi
+	if type newgidmap > /dev/null 2>&1; then
+		f=`type -P newgidmap`
+		if [ ! -u "${f}" ]; then
+			echo "Warning: newgidmap is not setuid-root"
+		fi
+	else
+		echo "newgidmap is not installed"
+	fi
+fi
 echo -n "Network namespace: " && is_enabled CONFIG_NET_NS
 if ([ $KVER_MAJOR -lt 4 ]) || ([ $KVER_MAJOR -eq 4 ] && [ $KVER_MINOR -lt 7 ]); then
 	echo -n "Multiple /dev/pts instances: " && is_enabled DEVPTS_MULTIPLE_INSTANCES