[lxc-devel] [lxd/master] allow arbitrary users to read idmaps

[tych0 on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 540 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180108/d2ace8b8/attachment.bin>
-------------- next part --------------
From f0751d938ed8c11b2aa3b234984ae006da55f286 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho at tycho.ws>
Date: Mon, 8 Jan 2018 10:06:34 -0700
Subject: [PATCH] allow arbitrary users to read idmaps

Instead of hardcoding always using root's idmap, let's ask for the current
user's idmap. This should have no effect for LXD, but may potentially be
useful for downstream users of idmap :)

Signed-off-by: Tycho Andersen <tycho at tycho.ws>
---
 shared/idmap/idmapset_linux.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index a85a74714..d9edc8a97 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"os/user"
 	"path"
 	"path/filepath"
 	"reflect"
@@ -667,8 +668,13 @@ func DefaultIdmapSet() (*IdmapSet, error) {
 	newuidmap, _ := exec.LookPath("newuidmap")
 	newgidmap, _ := exec.LookPath("newgidmap")
 	if newuidmap != "" && newgidmap != "" && shared.PathExists("/etc/subuid") && shared.PathExists("/etc/subgid") {
+		currentUser, err := user.Current()
+		if err != nil {
+			return nil, err
+		}
+
 		// Parse the shadow uidmap
-		entries, err := getFromShadow("/etc/subuid", "root")
+		entries, err := getFromShadow("/etc/subuid", currentUser.Username)
 		if err != nil {
 			return nil, err
 		}
@@ -687,7 +693,7 @@ func DefaultIdmapSet() (*IdmapSet, error) {
 		}
 
 		// Parse the shadow gidmap
-		entries, err = getFromShadow("/etc/subgid", "root")
+		entries, err = getFromShadow("/etc/subgid", currentUser.Username)
 		if err != nil {
 			return nil, err
 		}