[lxc-devel] [lxc/master] utils: allow lxc-attach to set uid / gid

Disassembler0 on Github lxc-bot at linuxcontainers.org
Sat Sep 8 21:23:01 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 525 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180908/73616921/attachment.bin>
-------------- next part --------------
From 77c33627e3e860939a108b44bcc4fcd0687f1ec6 Mon Sep 17 00:00:00 2001
From: Disassembler <disassembler at dasm.cz>
Date: Sat, 8 Sep 2018 22:57:44 +0200
Subject: [PATCH] utils: allow lxc-attach to set uid / gid

 - Allow lxc-attach to set UID / GID as requested in #2591
 - Rearrange order of actions on attach
 - Add documentation also for lxc-execute which has the same params

Signed-off-by: Disassembler <disassembler at dasm.cz>
---
 doc/lxc-attach.sgml.in     | 26 ++++++++++++++++++++++++++
 doc/lxc-execute.sgml.in    | 26 ++++++++++++++++++++++++++
 src/lxc/attach.c           | 14 +++++++-------
 src/lxc/tools/lxc_attach.c | 20 ++++++++++++++++++++
 4 files changed, 79 insertions(+), 7 deletions(-)

diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
index 713a30e7f..14fa77d79 100644
--- a/doc/lxc-attach.sgml.in
+++ b/doc/lxc-attach.sgml.in
@@ -60,6 +60,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       <arg choice="opt">--clear-env</arg>
       <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
       <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
+      <arg choice="opt">-u, --uid <replaceable>uid</replaceable></arg>
+      <arg choice="opt">-g, --gid <replaceable>gid</replaceable></arg>
       <arg choice="opt">-- <replaceable>command</replaceable></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -282,6 +284,30 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>
+	  <option>--u, --uid <replaceable>uid</replaceable></option>
+	</term>
+	<listitem>
+	  <para>
+	    Executes the <replaceable>command</replaceable> with user ID
+	   <replaceable>uid</replaceable> inside the container.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>
+	  <option>--g, --gid <replaceable>gid</replaceable></option>
+	</term>
+	<listitem>
+	  <para>
+	    Executes the <replaceable>command</replaceable> with group ID
+	   <replaceable>gid</replaceable> inside the container.
+	  </para>
+	</listitem>
+      </varlistentry>
+
      </variablelist>
 
   </refsect1>
diff --git a/doc/lxc-execute.sgml.in b/doc/lxc-execute.sgml.in
index 20814348d..8b249b329 100644
--- a/doc/lxc-execute.sgml.in
+++ b/doc/lxc-execute.sgml.in
@@ -53,6 +53,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       <arg choice="opt">-d</arg>
       <arg choice="opt">-f <replaceable>config_file</replaceable></arg>
       <arg choice="opt">-s KEY=VAL</arg>
+      <arg choice="opt">-u, --uid <replaceable>uid</replaceable></arg>
+      <arg choice="opt">-g, --gid <replaceable>gid</replaceable></arg>
       <arg choice="opt">-- <replaceable>command</replaceable></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -139,6 +141,30 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+	<term>
+	  <option>--u, --uid <replaceable>uid</replaceable></option>
+	</term>
+	<listitem>
+	  <para>
+	    Executes the <replaceable>command</replaceable> with user ID
+	   <replaceable>uid</replaceable> inside the container.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>
+	  <option>--g, --gid <replaceable>gid</replaceable></option>
+	</term>
+	<listitem>
+	  <para>
+	    Executes the <replaceable>command</replaceable> with group ID
+	   <replaceable>gid</replaceable> inside the container.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
 	<term><option>--</option></term>
 	<listitem>
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 87f14398f..c0773851e 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -852,13 +852,6 @@ static int attach_child_main(struct attach_clone_payload *payload)
 	if (options->gid != (gid_t)-1)
 		new_gid = options->gid;
 
-	/* Try to set the {u,g}id combination. */
-	if (new_uid != 0 || new_gid != 0 || options->namespaces & CLONE_NEWUSER) {
-		ret = lxc_switch_uid_gid(new_uid, new_gid);
-		if (ret < 0)
-			goto on_error;
-	}
-
 	ret = lxc_setgroups(0, NULL);
 	if (ret < 0 && errno != EPERM)
 		goto on_error;
@@ -897,6 +890,13 @@ static int attach_child_main(struct attach_clone_payload *payload)
 		TRACE("Loaded seccomp profile");
 	}
 
+	/* Try to set the {u,g}id combination. */
+	if (new_uid != 0 || new_gid != 0 || options->namespaces & CLONE_NEWUSER) {
+		ret = lxc_switch_uid_gid(new_uid, new_gid);
+		if (ret < 0)
+			goto on_error;
+	}
+
 	shutdown(payload->ipc_socket, SHUT_RDWR);
 	close(payload->ipc_socket);
 	payload->ipc_socket = -EBADF;
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index e98f0a056..ae3b24cb0 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -72,6 +72,8 @@ static const struct option my_longopts[] = {
 	{"set-var", required_argument, 0, 'v'},
 	{"pty-log", required_argument, 0, 'L'},
 	{"rcfile", required_argument, 0, 'f'},
+	{"uid", required_argument, 0, 'u'},
+	{"gid", required_argument, 0, 'g'},
 	LXC_COMMON_OPTIONS
 };
 
@@ -122,6 +124,8 @@ Options :\n\
                     multiple times.\n\
   -f, --rcfile=FILE\n\
                     Load configuration file FILE\n\
+  -u, --uid=UID     Execute COMMAND with UID inside the container\n\
+  -g, --gid=GID     Execute COMMAND with GID inside the container\n\
 ",
 	.options      = my_longopts,
 	.parser       = my_parser,
@@ -187,6 +191,14 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg)
 	case 'f':
 		args->rcfile = arg;
 		break;
+	case 'u':
+		if (lxc_safe_uint(arg, &args->uid) < 0)
+			return -1;
+		break;
+	case 'g':
+		if (lxc_safe_uint(arg, &args->gid) < 0)
+			return -1;
+		break;
 	}
 
 	return 0;
@@ -333,6 +345,14 @@ int main(int argc, char *argv[])
 			goto out;
 	}
 
+	if (my_args.uid) {
+		attach_options.uid = my_args.uid;
+	}
+
+	if (my_args.gid) {
+		attach_options.gid = my_args.gid;
+	}
+
 	if (command.program)
 		ret = c->attach(c, lxc_attach_run_command, &command, &attach_options, &pid);
 	else


More information about the lxc-devel mailing list