]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3d277c5)
caps: check uid and euid 2831/head
authorChristian Brauner <christian.brauner@ubuntu.com>
Fri, 8 Feb 2019 14:11:46 +0000 (15:11 +0100)
committerChristian Brauner <christian.brauner@ubuntu.com>
Fri, 8 Feb 2019 14:17:04 +0000 (15:17 +0100)
When we are running inside of a user namespace getuid() will return a
non-zero uid. So let's check euid as well to make sure we correctly drop
capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
src/lxc/caps.c patch | blob | blame | history

diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 5638c712e141e4cd769b16130d9f165be73e8a6b..1346ec74f3ea6063bfe2a1d3635bcaa8da4e586e 100644 (file)
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -154,8 +154,7 @@ int lxc_ambient_caps_up(void)
        int last_cap = CAP_LAST_CAP;
        char *cap_names = NULL;
 
-       /* When we are run as root, we don't want to play with the capabilities. */
-       if (!getuid())
+       if (!getuid() || geteuid())
                return 0;
 
        caps = cap_get_proc();
@@ -222,8 +221,7 @@ int lxc_ambient_caps_down(void)
        cap_t caps;
        cap_value_t cap;
 
-       /* When we are run as root, we don't want to play with the capabilities. */
-       if (!getuid())
+       if (!getuid() || geteuid())
                return 0;
 
        ret = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
Mirror of https://github.com/lxc/lxc.git