From: Patrick Toomey <ptoomey3@biasedcoin.com>
Date: Mon, 20 Jul 2015 18:37:20 +0000 (-0600)
Subject: Set UID/GID to parent value for lxc-execute
X-Git-Tag: lxc-2.0.0.beta1~164^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56f8ff00e35b8729e66de46d3bdc5afa6a726f28;p=thirdparty%2Flxc.git

Set UID/GID to parent value for lxc-execute

Signed-off-by: Patrick Toomey <ptoomey3@biasedcoin.com>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 9870455b3..429217401 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2604,6 +2604,9 @@ struct lxc_conf *lxc_conf_init(void)
 	for (i = 0; i < LXC_NS_MAX; i++)
 		new->inherit_ns_fd[i] = -1;
 
+	new->parent_uid = getuid();
+	new->parent_gid = getgid();
+
 	return new;
 }
 
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 2d67f0da6..47d4407e7 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -365,6 +365,10 @@ struct lxc_conf {
 
 	/* init command */
 	char *init_cmd;
+
+	/* The UID/GID of the process creating the container */
+	uid_t parent_uid;
+	gid_t parent_gid;
 };
 
 #ifdef HAVE_TLS
diff --git a/src/lxc/start.c b/src/lxc/start.c
index ce65e8243..eb6b94df8 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -667,13 +667,15 @@ static int do_start(void *data)
 	 * privilege over our namespace. We don't become root for lxc-execute, as
 	 * the intent is to execute a command as the original user.
 	 */
-	if (!handler->conf->is_execute && !lxc_list_empty(&handler->conf->id_map)) {
-		NOTICE("switching to gid/uid 0 in new user namespace");
-		if (setgid(0)) {
+	if (!lxc_list_empty(&handler->conf->id_map)) {
+		gid_t new_gid = handler->conf->is_execute ? handler->conf->parent_gid : 0;
+		gid_t new_uid = handler->conf->is_execute ? handler->conf->parent_uid : 0;
+		NOTICE("switching to gid/uid %d/%d in new user namespace", new_gid, new_uid);
+		if (setgid(new_gid)) {
 			SYSERROR("setgid");
 			goto out_warn_father;
 		}
-		if (setuid(0)) {
+		if (setuid(new_uid)) {
 			SYSERROR("setuid");
 			goto out_warn_father;
 		}