Set UID/GID to parent value for lxc-execute

Signed-off-by: Patrick Toomey <ptoomey3@biasedcoin.com>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 9870455b3caeccb7470b822d995a74f46893ff79..42921740168a9d3a62db73340414786eeab20b80 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2604,6 +2604,9 @@ struct lxc_conf *lxc_conf_init(void)
        for (i = 0; i < LXC_NS_MAX; i++)
                new->inherit_ns_fd[i] = -1;
 
+       new->parent_uid = getuid();
+       new->parent_gid = getgid();
+
        return new;
 }
 

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 2d67f0da648f371b4cd43b252708cd4869dae138..47d4407e705e87b70af1b22fdada512ce0cd1132 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -365,6 +365,10 @@ struct lxc_conf {
 
        /* init command */
        char *init_cmd;
+
+       /* The UID/GID of the process creating the container */
+       uid_t parent_uid;
+       gid_t parent_gid;
 };
 
 #ifdef HAVE_TLS

diff --git a/src/lxc/start.c b/src/lxc/start.c
index ce65e824332053f22311412ff5d26c7c9c1b0cef..eb6b94df89e7912844f56a8f978c5a5b3ffd6564 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -667,13 +667,15 @@ static int do_start(void *data)
         * privilege over our namespace. We don't become root for lxc-execute, as
         * the intent is to execute a command as the original user.
         */
-       if (!handler->conf->is_execute && !lxc_list_empty(&handler->conf->id_map)) {
-               NOTICE("switching to gid/uid 0 in new user namespace");
-               if (setgid(0)) {
+       if (!lxc_list_empty(&handler->conf->id_map)) {
+               gid_t new_gid = handler->conf->is_execute ? handler->conf->parent_gid : 0;
+               gid_t new_uid = handler->conf->is_execute ? handler->conf->parent_uid : 0;
+               NOTICE("switching to gid/uid %d/%d in new user namespace", new_gid, new_uid);
+               if (setgid(new_gid)) {
                        SYSERROR("setgid");
                        goto out_warn_father;
                }
-               if (setuid(0)) {
+               if (setuid(new_uid)) {
                        SYSERROR("setuid");
                        goto out_warn_father;
                }