Re: [lxc-devel] [PATCH 1/1] chown_mapped_root: don't try chgrp if we don't own the file

Thu, 03 Jul 2014 12:15:10 -0700 

On Thu, Jul 03, 2014 at 01:57:57PM -0500, Serge Hallyn wrote:
> New kernels require that to have privilege over a file, your
> userns must have the old and new groups mapped into your userns.
> So if a file is owned by our uid but another groupid, then we
> have to chgrp the file to our primary group before we can try
> (in a new user namespace) to chgrp the file to a group id in the
> namespace.
> 
> But in some cases (when cloning) the file may already be mapped
> into the container.  Now we cannot chgrp the file to our own
> primary group - and we don't have to.
> 
> So detect that case.  Only try to chgrp the file to our primary
> group if the file is owned by our euid (i.e. not by the container)
> and the owning group is not already mapped into the container by
> default.
> 
> With this patch, I'm again able to both create and clone containers
> with no errors again.
> 
> Reported-by: S.Çağlar Onur <[email protected]>
> Signed-off-by: Serge Hallyn <[email protected]>

Acked-by: Stéphane Graber <[email protected]>

> ---
>  src/lxc/conf.c | 11 ++++++++---
>  1 file changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index dd92dae..66108bb 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -3574,9 +3574,14 @@ int chown_mapped_root(char *path, struct lxc_conf 
> *conf)
>                       return -1;
>               }
>  
> -             // a trick for chgrp the file that is not owned by oneself
> -             if (chown(path, -1, hostgid) < 0) {
> -                     ERROR("Error chgrp %s", path);
> +             /*
> +              * A file has to be group-owned by a gid mapped into the
> +              * container, or the container won't be privileged over it.
> +              */
> +             if (sb.st_uid == geteuid() &&
> +                             mapped_hostid(sb.st_gid, conf, ID_TYPE_GID) < 0 
> &&
> +                             chown(path, -1, hostgid) < 0) {
> +                     ERROR("Failed chgrping %s", path);
>                       return -1;
>               }
>  
> -- 
> 2.0.1
> 
> _______________________________________________
> lxc-devel mailing list
> [email protected]
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

Attachment: signature.asc
Description: Digital signature

_______________________________________________
lxc-devel mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to