src/lxc/lxc-ls
src/lxc/lxc-monitor
src/lxc/lxc-netstat
+src/lxc/lxc-setcap
src/lxc/lxc-ps
src/lxc/lxc-restart
src/lxc/lxc-start
src/lxc/lxc-ps
src/lxc/lxc-ls
src/lxc/lxc-netstat
- src/lxc/lxc-checkconfig
+ src/lxc/lxc-checkconfig
+ src/lxc/lxc-setcap
etc/Makefile
etc/lxc-macvlan.conf
Advice:
-------
-When installing the tools, it is adviced to install as
-root, so the privilege for the commands will be set and
-they will be usable by non-root user
-
- make && sudo make install
-
+If you which to have a non root user to use the lxc tools,
+you can add the needed capabilities to the tools by invoking
+the 'lxc-setcap' script. To remove the capabilities, use
+'lxc-setcap -d'
])
fi
mkdir -p /var/lxc
chmod ugo+w /var/lxc
-setcap cap_sys_admin=ep %{_bindir}/lxc-init
-
-setcap cap_sys_admin=ep %{_bindir}/lxc-netstat
-
-setcap cap_sys_admin=ep %{_bindir}/lxc-create
-
-setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- %{_bindir}/lxc-execute
-
-setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- %{_bindir}/lxc-start
-
-setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- %{_bindir}/lxc-restart
-
-setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- %{_bindir}/lxc-unshare
-
%files
%defattr(-,root,root)
%{_sysconfdir}/%{name}/*
%{_libdir}/*.so*
%{_bindir}/*
+%{_libexecdir}/*
%{_mandir}/*
%files devel
%changelog
+* Mon Mar 24 2009 Daniel Lezcano <daniel.lezcano@free.fr> - Version 0.6.1
+- Removed capability setting, let the user to do that through "lxc-setcap"
+
* Mon Feb 16 2009 Daniel Lezcano <daniel.lezcano@free.fr> - Version 0.6.0
- Added more capabilities to the executables
lxc-ps \
lxc-netstat \
lxc-ls \
- lxc-checkconfig
+ lxc-checkconfig \
+ lxc-setcap
bin_PROGRAMS = \
lxc-unshare \
lxc_version_SOURCES = lxc_version.c
lxc_version_LDADD = liblxc.la
-install-libexecPROGRAMS:
- setcap cap_sys_admin=ep $(libexecdir)/lxc-init
-
install-exec-local:
- -@export PATH=$$PATH:/sbin:/usr/sbin && \
- mkdir -p $(localstatedir) && \
- \
- setcap cap_sys_admin=ep $(bindir)/lxc-create && \
- \
- setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- $(bindir)/lxc-execute && \
- \
- setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- $(bindir)/lxc-start && \
- \
- setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- $(bindir)/lxc-restart && \
- \
- setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
- $(bindir)/lxc-unshare && \
- \
- setcap cap_sys_admin=ep \
- $(bindir)/lxc-netstat && \
- \
- mkdir -p $(prefix)/var/lxc && \
- chmod ugo+rw $(prefix)/var/lxc || \
- (echo && echo && \
- echo "*****************************************************************" && \
- echo "* *" && \
- echo "* The installation failed to set file capabilities, that is ok, *" && \
- echo "* but you won't have enough privilege to run the 'lxc' commands *" && \
- echo "* and you will need to run them as 'root' yourself. *" && \
- echo "* *" && \
- echo "*****************************************************************" && \
- echo && echo)
+ @mkdir -p $(localstatedir) && mkdir -p $(prefix)/var/lxc && \
+ chmod ugo+rw $(prefix)/var/lxc
--- /dev/null
+#!/bin/bash
+
+#
+# lxc: linux Container library
+
+# Authors:
+# Daniel Lezcano <daniel.lezcano@free.fr>
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+#
+# This script allows to set or remove the capabilities on the lxc tools.
+# When the capabilities are set, a non root user can manage the containers.
+#
+
+LXC_CREATE_CAPS="cap_sys_admin"
+LXC_NETSTAT_CAPS="cap_sys_admin"
+LXC_INIT_CAPS="cap_sys_admin"
+LXC_UNSHARE_CAPS="cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override"
+LXC_START_CAPS="cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override"
+LXC_EXECUTE_CAPS=$LXC_START_CAPS
+LXC_RESTART_CAPS=$LXC_START_CAPS
+
+LXC_DROP_CAPS=""
+
+usage()
+{
+ echo "lxc-setcap [-d] : set or remove capabilities on the lxc tools"
+}
+
+lxc_setcaps()
+{
+ setcap $LXC_CREATE_CAPS=ep @BINDIR@/lxc-create
+ setcap $LXC_EXECUTE_CAPS=ep @BINDIR@/lxc-execute
+ setcap $LXC_START_CAPS=ep @BINDIR@/lxc-start
+ setcap $LXC_RESTART_CAPS=ep @BINDIR@/lxc-restart
+ setcap $LXC_UNSHARE_CAPS=ep @BINDIR@/lxc-unshare
+ setcap $LXC_NETSTAT_CAPS=ep @BINDIR@/lxc-netstat
+ setcap $LXC_INIT_CAPS=ep @LIBEXECDIR@/lxc-init
+}
+
+lxc_dropcaps()
+{
+ setcap -r @BINDIR@/lxc-create
+ setcap -r @BINDIR@/lxc-execute
+ setcap -r @BINDIR@/lxc-start
+ setcap -r @BINDIR@/lxc-restart
+ setcap -r @BINDIR@/lxc-unshare
+ setcap -r @BINDIR@/lxc-netstat
+ setcap -r @LIBEXECDIR@/lxc-init
+}
+
+if [ "$(id -u)" != "0" ]; then
+ echo "You have to be root to run this script"
+ exit 1
+fi
+
+
+if [ $? != 0 ]; then
+ usage
+ exit 1
+fi
+
+set -- $(getopt dh $*)
+
+for i in $*; do
+ case "$1" in
+ -d)
+ LXC_DROP_CAPS="yes"
+ shift
+ ;;
+ -h)
+ usage
+ exit 0
+ ;;
+ --)
+ shift
+ break
+ ;;
+ *)
+ usage
+ exit 1
+ ;;
+ esac
+done;
+
+if [ -z "$LXC_DROP_CAPS" ]; then
+ lxc_setcaps
+else
+ lxc_dropcaps
+fi
projects / thirdparty / lxc.git / commitdiff
