From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 8 Feb 2019 14:11:46 +0000 (+0100)
Subject: caps: check uid and euid
X-Git-Tag: lxc-2.0.10~9^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d18e582f87998e2ae1d7ce8729467d1721c20ac;p=thirdparty%2Flxc.git

caps: check uid and euid

When we are running inside of a user namespace getuid() will return a
non-zero uid. So let's check euid as well to make sure we correctly drop
capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 5638c712e..1346ec74f 100644
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -154,8 +154,7 @@ int lxc_ambient_caps_up(void)
 	int last_cap = CAP_LAST_CAP;
 	char *cap_names = NULL;
 
-	/* When we are run as root, we don't want to play with the capabilities. */
-	if (!getuid())
+	if (!getuid() || geteuid())
 		return 0;
 
 	caps = cap_get_proc();
@@ -222,8 +221,7 @@ int lxc_ambient_caps_down(void)
 	cap_t caps;
 	cap_value_t cap;
 
-	/* When we are run as root, we don't want to play with the capabilities. */
-	if (!getuid())
+	if (!getuid() || geteuid())
 		return 0;
 
 	ret = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);