[Lxc-users] lxc-setuid - does setuid for scripts work?

Daniel Lezcano daniel.lezcano at free.fr
Tue Aug 9 15:50:13 UTC 2011


On 08/09/2011 05:31 PM, Jasim A Basheer wrote:
> Hello,
>
> I needed a way to get lxc-create and lxc-execute to run as root when
> invoked through a process with normal privileges. Found that the
> lxc-setuid utility exists which assigns the uid bit to all the lxc
> scripts.
>
> But this does not work for me since Linux distros doesn't respect the
> setuid bit for scripts.
> (https://answers.launchpad.net/ubuntu/+question/9920,
> http://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts)
>
> 1. I think I'm missing something here, but since setuid for shell
> scripts are insecure and not supported, is there a reason why the
> lxc-setuid script exist at all ?

Some commands like lxc-start need some privilege to create the container:
 * create the cgroup
 * clone a new namespace
 * mount
 * etc ...

The posix file capabilities are used to give the right privileges to
these commands, this is what does lxc-setcap.
But the file capabilities are not supported on NFS, so if you have the
tools installed on such file system, the lxc-setuid can be used instead.

This is useful if you want to launch a non-root application in a
container, for instance, lxc-execute -n foo /bin/bash

The script are used to create a rootfs filesystem with the right lxc
configuration. Most of the commands used in these scripts need root
privileges. It is considered you need to be root to run these scripts.

> 2. Apart from writing a C front-end with setuid set, is there a way to
> get the lxc scripts to run from a process owned by a normal user?
Why don't you configure your host to grant sudo access for
lxc-create/lxc-destroy command ?






More information about the lxc-users mailing list