[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [RFC PATCH 5/6] LXC: create tty device with proper permission for container



On Mon, Mar 11, 2013 at 02:26:51PM +0800, Gao feng wrote:
> Since the root user of container may be a normal
> user on host, we should make sure the container
> has rights to use the tty device.
> 
> Signed-off-by: Gao feng <gaofeng cn fujitsu com>
> ---
>  src/lxc/lxc_controller.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
> index c6f8c3b..4715f84 100644
> --- a/src/lxc/lxc_controller.c
> +++ b/src/lxc/lxc_controller.c
> @@ -1311,6 +1311,7 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
>      char *opts = NULL;
>      char *devpts = NULL;
>      int ret = -1;
> +    uid_t uid = 0;
>  
>      if (!root) {
>          if (ctrl->nconsoles != 1) {
> @@ -1367,10 +1368,13 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
>          goto cleanup;
>      }
>  
> +    if (ctrl->def->os.userns == VIR_DOMAIN_USER_NS_ENABLED)
> +        uid = ctrl->def->os.uidmap.low_first;
> +
>      /* XXX should we support gid=X for X!=5 for distros which use
>       * a different gid for tty?  */
> -    if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s",
> -                    (mount_options ? mount_options : "")) < 0) {
> +    if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,uid=%d,gid=5%s",
> +                    uid, (mount_options ? mount_options : "")) < 0) {
>          virReportOOMError();
>          goto cleanup;
>      }

This is bogus, if no 'uid' parameter is set for devpts, then the
PTYs that are created automatically get given the uid associated
with the calling process, which is what you want. With this change,
you are hardcoding the 'uid' regardless of what UID the process in
the container is running as, which will break things if any container
process changes its uid. 


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]