Drop lxc-setcap and lxc-setuid

As discussed earlier this week, lxc-setcap and lxc-setuid have been in pretty bad shape lately. Most if not all distros recommend against using them or don't ship them at all. With the ongoing work to get user namespaces working in upstream LXC, we think it's best to drop those two now as we prepare to land proper setuid helpers to deal with user namespaces. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2025-08-15 10:12:24 +00:00 · 2013-02-08 11:07:53 -05:00 · 2013-02-08 11:07:53 -05:00 · 113c39bfb8
commit 113c39bfb8
parent 4852d800d1
6 changed files with 1 additions and 303 deletions
--- a/.gitignore
+++ b/.gitignore
@ -55,8 +55,6 @@ src/lxc/lxc-monitor
 src/lxc/lxc-netstat
 src/lxc/lxc-ps
 src/lxc/lxc-restart
-src/lxc/lxc-setcap
-src/lxc/lxc-setuid
 src/lxc/lxc-shutdown
 src/lxc/lxc-start
 src/lxc/lxc-start-ephemeral
--- a/2
+++ b/2
@ -36,7 +36,7 @@ Downloading the current source code:

  For detailed build instruction refer to INSTALL and man lxc man page
  but a short command line should work:
-  ./autogen.sh && ./configure && make && sudo make install && sudo lxc-setcap
+  ./autogen.sh && ./configure && make && sudo make install
  preceded by ./autogen.sh if configure do not exist yet.

 Getting help:
--- a/configure.ac
+++ b/configure.ac
@ -356,8 +356,6 @@ AC_CONFIG_FILES([
 	src/lxc/lxc-ps
 	src/lxc/lxc-netstat
 	src/lxc/lxc-checkconfig
-	src/lxc/lxc-setcap
-	src/lxc/lxc-setuid
 	src/lxc/lxc-version
 	src/lxc/lxc-create
 	src/lxc/lxc-clone
@ -377,32 +375,3 @@ AC_CONFIG_FILES([
 ])
 AC_CONFIG_COMMANDS([default],[[]],[[]])
 AC_OUTPUT
-
-
-# Detect missing setcap binary
-AC_CHECK_PROG(SETCAP, setcap, yes, no, $PATH$PATH_SEPARATOR/sbin)
-if test "x$SETCAP" = "xno"; then
-	AC_MSG_NOTICE([
-
-Warning:
--------
-
-The setcap binary was not found. This means the tools to set the
-privilege for the lxc commands are not available, that's ok, but you
-will need to run these commands as root or install libcap-2.
-
-])
-
-else
-
-   AC_MSG_NOTICE([
-
-Advice:
-------
-
-If you wish to have a non root user to use the lxc tools,
-you can add the needed capabilities to the tools by invoking
-the 'lxc-setcap' script. To remove the capabilities, use
-'lxc-setcap -d'.
-])
-fi
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@ -122,8 +122,6 @@ bin_SCRIPTS = \
 	lxc-ps \
 	lxc-netstat \
 	lxc-checkconfig \
-	lxc-setcap \
-	lxc-setuid \
 	lxc-version \
 	lxc-create \
 	lxc-clone \
--- a/src/lxc/lxc-setcap.in
+++ b/src/lxc/lxc-setcap.in
@ -1,135 +0,0 @@
-#!/bin/sh
-
-#
-# lxc: linux Container library
-
-# Authors:
-# Daniel Lezcano <daniel.lezcano@free.fr>
-
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-#
-# This script allows to set or remove the capabilities on the lxc tools.
-# When the capabilities are set, a non root user can manage the containers.
-#
-
-. @DATADIR@/lxc/lxc.functions
-
-LXC_ATTACH_CAPS="cap_sys_admin,cap_dac_override"
-LXC_CREATE_CAPS="cap_sys_admin"
-LXC_NETSTAT_CAPS="cap_sys_admin"
-LXC_INIT_CAPS="cap_sys_admin,cap_dac_override"
-LXC_COMMON_CAPS="cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override"
-LXC_UNSHARE_CAPS=$LXC_COMMON_CAPS
-LXC_START_CAPS="$LXC_COMMON_CAPS,cap_fowner,cap_sys_chroot,cap_setpcap"
-LXC_EXECUTE_CAPS=$LXC_START_CAPS
-LXC_RESTART_CAPS="$LXC_START_CAPS,cap_mknod"
-LXC_CHECKPOINT_CAPS="$LXC_COMMON_CAPS,cap_sys_ptrace,cap_mknod"
-LXC_DROP_CAPS=""
-
-usage() {
-    echo "usage: $(basename $0) [-d]" >&2
-}
-
-help() {
-    usage
-    echo >&2
-    echo "Set or drop file capabilities on the lxc tools." >&2
-    echo >&2
-    echo "Options:" >&2
-    echo "  -d   drop file capabilities" >&2
-}
-
-lxc_setcaps()
-{
-    setcap $LXC_ATTACH_CAPS=ep @BINDIR@/lxc-attach
-    setcap $LXC_CREATE_CAPS=ep @BINDIR@/lxc-create
-    setcap $LXC_EXECUTE_CAPS=ep @BINDIR@/lxc-execute
-    setcap $LXC_START_CAPS=ep @BINDIR@/lxc-start
-    setcap $LXC_RESTART_CAPS=ep @BINDIR@/lxc-restart
-    setcap $LXC_UNSHARE_CAPS=ep @BINDIR@/lxc-unshare
-    setcap $LXC_NETSTAT_CAPS=ep @BINDIR@/lxc-netstat
-    setcap $LXC_CHECKPOINT_CAPS=ep @BINDIR@/lxc-checkpoint
-    setcap $LXC_INIT_CAPS=ep @LXCINITDIR@/lxc/lxc-init
-
-    test -e $lxc_path || mkdir -p $lxc_path
-    chmod 0777 $lxc_path
-}
-
-lxc_dropcaps()
-{
-    setcap -r $bindir/lxc-attach
-    setcap -r $bindir/lxc-create
-    setcap -r $bindir/lxc-execute
-    setcap -r $bindir/lxc-start
-    setcap -r $bindir/lxc-restart
-    setcap -r $bindir/lxc-unshare
-    setcap -r $bindir/lxc-netstat
-    setcap -r $bindir/lxc-checkpoint
-    setcap -r $lxcinitdir/lxc/lxc-init
-
-    chmod 0755 $lxc_path
-}
-
-usage_err() {
-    [ -n "$1" ] && echo "$1" >&2
-    usage
-    exit 1
-}
-
-optarg_check() {
-    if [ -z "$2" ]; then
-        usage_err "option '$1' requires an argument"
-    fi
-}
-
-while [ $# -gt 0 ]; do
-    opt="$1"
-    shift
-    case "$opt" in
-        -d)
-            LXC_DROP_CAPS="yes"
-            ;;
-        -h|--help)
-            help
-            exit 0
-            ;;
-        --)
-            break
-            ;;
-        -?)
-            usage_err "unknown option '$opt'"
-            ;;
-        -*)
-            # split opts -abc into -a -b -c
-            set -- $(echo "${opt#-}" | sed 's/\(.\)/ -\1/g') "$@"
-            ;;
-         *)
-            usage
-            exit 1
-            ;;
-    esac
-done;
-
-if [ "$(id -u)" != "0" ]; then
-   echo "$(basename $0): must be run as root" >&2
-   exit 1
-fi
-
-if [ -z "$LXC_DROP_CAPS" ]; then
-    lxc_setcaps
-else
-    lxc_dropcaps
-fi
--- a/src/lxc/lxc-setuid.in
+++ b/src/lxc/lxc-setuid.in
@ -1,132 +0,0 @@
-#!/bin/sh
-
-#
-# lxc: linux Container library
-
-# Authors:
-# Daniel Lezcano <daniel.lezcano@free.fr>
-
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-#
-# This script allows to set or remove the setuid execution bit on the lxc tools.
-# When the capabilities are set, a non root user can manage the containers.
-#
-
-. @DATADIR@/lxc/lxc.functions
-
-usage() {
-    echo "usage: $(basename $0) [-d]" >&2
-}
-
-help() {
-    usage
-    echo >&2
-    echo "Set or drop the setuid attribute on the lxc tools." >&2
-    echo >&2
-    echo "Options:" >&2
-    echo "  -d   drop the setuid attribute" >&2
-}
-
-setuid()
-{
-    if [ "$1" = "-r" ]; then
-        chmod -s $2
-    else
-        chmod +s $1
-    fi
-}
-
-lxc_setuid()
-{
-    setuid $bindir/lxc-attach
-    setuid $bindir/lxc-create
-    setuid $bindir/lxc-execute
-    setuid $bindir/lxc-start
-    setuid $bindir/lxc-restart
-    setuid $bindir/lxc-unshare
-    setuid $bindir/lxc-netstat
-    setuid $bindir/lxc-checkpoint
-    setuid $lxcinitdir/lxc-init
-
-    test -e $lxc_path || mkdir -p $lxc_path
-    chmod 0777 $lxc_path
-}
-
-lxc_dropuid()
-{
-    setuid -r $bindir/lxc-attach
-    setuid -r $bindir/lxc-create
-    setuid -r $bindir/lxc-execute
-    setuid -r $bindir/lxc-start
-    setuid -r $bindir/lxc-restart
-    setuid -r $bindir/lxc-unshare
-    setuid -r $bindir/lxc-netstat
-    setuid -r $bindir/lxc-checkpoint
-    setuid -r $lxcinitdir/lxc-init
-
-    chmod 0755 $lxc_path
-}
-
-usage_err() {
-    [ -n "$1" ] && echo "$1" >&2
-    usage
-    exit 1
-}
-
-optarg_check() {
-    if [ -z "$2" ]; then
-        usage_err "option '$1' requires an argument"
-    fi
-}
-
-while [ $# -gt 0 ]; do
-    opt="$1"
-    shift
-    case "$opt" in
-        -d)
-            LXC_DROP_CAPS="yes"
-            ;;
-        -h|--help)
-            help
-            exit 0
-            ;;
-        --)
-            break
-            ;;
-        -?)
-            usage_err "unknown option '$opt'"
-            ;;
-        -*)
-            # split opts -abc into -a -b -c
-            set -- $(echo "${opt#-}" | sed 's/\(.\)/ -\1/g') "$@"
-            ;;
-         *)
-            usage
-            exit 1
-            ;;
-    esac
-done;
-
-if [ "$(id -u)" != "0" ]; then
-   echo "$(basename $0): must be run as root" >&2
-   exit 1
-fi
-
-if [ -z "$LXC_DROP_CAPS" ]; then
-    lxc_setuid
-else
-    lxc_dropuid
-fi