proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-17 22:05:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

start: check for CAP_SETGID before setgroups()

Browse Source 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
Christian Brauner 2017-01-07 12:41:18 +01:00
parent ca364dc0dd
commit 87bf0db03d
No known key found for this signature in database
GPG Key ID: 8EB056D53EECB12D
1 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/lxc/start.c
View File

@ -889,22 +889,17 @@ static int do_start(void *data)
* uid/gid. * uid/gid.
*/ */
if (handler->conf->is_execute) { if (handler->conf->is_execute) {
uid_t new_uid = 0; bool have_cap_setgid;
gid_t new_gid = 0; uid_t new_uid = handler->conf->init_uid;
gid_t new_gid = handler->conf->init_gid;
if (handler->conf->init_uid > 0)
new_uid = handler->conf->init_uid;
if (handler->conf->init_gid > 0)
new_gid = handler->conf->init_gid;
/* If we are in a new user namespace we already dropped all /* If we are in a new user namespace we already dropped all
* groups when we switched to root in the new user namespace * groups when we switched to root in the new user namespace
* further above. Only drop groups if we can, so ensure that we * further above. Only drop groups if we can, so ensure that we
* have necessary privilege. * have necessary privilege.
*/ */
bool can_setgroups = ((getuid() == 0) && (getgid() == 0)); have_cap_setgid = lxc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
if (lxc_list_empty(&handler->conf->id_map) && can_setgroups) { if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) {
if (lxc_setgroups(0, NULL) < 0) if (lxc_setgroups(0, NULL) < 0)
goto out_warn_father; goto out_warn_father;
} }