[lxc-devel] [lxc/master] utils: allow lxc-attach to set uid / gid
Disassembler0 on Github
lxc-bot at linuxcontainers.org
Sat Sep 8 21:23:01 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 525 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180908/73616921/attachment.bin>
-------------- next part --------------
From 77c33627e3e860939a108b44bcc4fcd0687f1ec6 Mon Sep 17 00:00:00 2001
From: Disassembler <disassembler at dasm.cz>
Date: Sat, 8 Sep 2018 22:57:44 +0200
Subject: [PATCH] utils: allow lxc-attach to set uid / gid
- Allow lxc-attach to set UID / GID as requested in #2591
- Rearrange order of actions on attach
- Add documentation also for lxc-execute which has the same params
Signed-off-by: Disassembler <disassembler at dasm.cz>
---
doc/lxc-attach.sgml.in | 26 ++++++++++++++++++++++++++
doc/lxc-execute.sgml.in | 26 ++++++++++++++++++++++++++
src/lxc/attach.c | 14 +++++++-------
src/lxc/tools/lxc_attach.c | 20 ++++++++++++++++++++
4 files changed, 79 insertions(+), 7 deletions(-)
diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
index 713a30e7f..14fa77d79 100644
--- a/doc/lxc-attach.sgml.in
+++ b/doc/lxc-attach.sgml.in
@@ -60,6 +60,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<arg choice="opt">--clear-env</arg>
<arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
<arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
+ <arg choice="opt">-u, --uid <replaceable>uid</replaceable></arg>
+ <arg choice="opt">-g, --gid <replaceable>gid</replaceable></arg>
<arg choice="opt">-- <replaceable>command</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -282,6 +284,30 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>--u, --uid <replaceable>uid</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Executes the <replaceable>command</replaceable> with user ID
+ <replaceable>uid</replaceable> inside the container.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>--g, --gid <replaceable>gid</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Executes the <replaceable>command</replaceable> with group ID
+ <replaceable>gid</replaceable> inside the container.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/doc/lxc-execute.sgml.in b/doc/lxc-execute.sgml.in
index 20814348d..8b249b329 100644
--- a/doc/lxc-execute.sgml.in
+++ b/doc/lxc-execute.sgml.in
@@ -53,6 +53,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<arg choice="opt">-d</arg>
<arg choice="opt">-f <replaceable>config_file</replaceable></arg>
<arg choice="opt">-s KEY=VAL</arg>
+ <arg choice="opt">-u, --uid <replaceable>uid</replaceable></arg>
+ <arg choice="opt">-g, --gid <replaceable>gid</replaceable></arg>
<arg choice="opt">-- <replaceable>command</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -139,6 +141,30 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>--u, --uid <replaceable>uid</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Executes the <replaceable>command</replaceable> with user ID
+ <replaceable>uid</replaceable> inside the container.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>--g, --gid <replaceable>gid</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Executes the <replaceable>command</replaceable> with group ID
+ <replaceable>gid</replaceable> inside the container.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--</option></term>
<listitem>
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 87f14398f..c0773851e 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -852,13 +852,6 @@ static int attach_child_main(struct attach_clone_payload *payload)
if (options->gid != (gid_t)-1)
new_gid = options->gid;
- /* Try to set the {u,g}id combination. */
- if (new_uid != 0 || new_gid != 0 || options->namespaces & CLONE_NEWUSER) {
- ret = lxc_switch_uid_gid(new_uid, new_gid);
- if (ret < 0)
- goto on_error;
- }
-
ret = lxc_setgroups(0, NULL);
if (ret < 0 && errno != EPERM)
goto on_error;
@@ -897,6 +890,13 @@ static int attach_child_main(struct attach_clone_payload *payload)
TRACE("Loaded seccomp profile");
}
+ /* Try to set the {u,g}id combination. */
+ if (new_uid != 0 || new_gid != 0 || options->namespaces & CLONE_NEWUSER) {
+ ret = lxc_switch_uid_gid(new_uid, new_gid);
+ if (ret < 0)
+ goto on_error;
+ }
+
shutdown(payload->ipc_socket, SHUT_RDWR);
close(payload->ipc_socket);
payload->ipc_socket = -EBADF;
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index e98f0a056..ae3b24cb0 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -72,6 +72,8 @@ static const struct option my_longopts[] = {
{"set-var", required_argument, 0, 'v'},
{"pty-log", required_argument, 0, 'L'},
{"rcfile", required_argument, 0, 'f'},
+ {"uid", required_argument, 0, 'u'},
+ {"gid", required_argument, 0, 'g'},
LXC_COMMON_OPTIONS
};
@@ -122,6 +124,8 @@ Options :\n\
multiple times.\n\
-f, --rcfile=FILE\n\
Load configuration file FILE\n\
+ -u, --uid=UID Execute COMMAND with UID inside the container\n\
+ -g, --gid=GID Execute COMMAND with GID inside the container\n\
",
.options = my_longopts,
.parser = my_parser,
@@ -187,6 +191,14 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg)
case 'f':
args->rcfile = arg;
break;
+ case 'u':
+ if (lxc_safe_uint(arg, &args->uid) < 0)
+ return -1;
+ break;
+ case 'g':
+ if (lxc_safe_uint(arg, &args->gid) < 0)
+ return -1;
+ break;
}
return 0;
@@ -333,6 +345,14 @@ int main(int argc, char *argv[])
goto out;
}
+ if (my_args.uid) {
+ attach_options.uid = my_args.uid;
+ }
+
+ if (my_args.gid) {
+ attach_options.gid = my_args.gid;
+ }
+
if (command.program)
ret = c->attach(c, lxc_attach_run_command, &command, &attach_options, &pid);
else
More information about the lxc-devel
mailing list