From: Yifeng Tan <tanyifeng1@huawei.com>
Date: Fri, 24 Nov 2017 12:03:47 +0000 (+0800)
Subject: start.c: always switch uid and gid
X-Git-Tag: lxc-3.0.0.beta1~172
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=928b1f04fc0c7579e19822e0f8a620ba121d7f97;p=thirdparty%2Flxc.git

start.c: always switch uid and gid

Signed-off-by: Yifeng Tan <tanyifeng1@huawei.com>
Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 4d583125b..1c47fd95e 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -776,6 +776,9 @@ static int do_start(void *data)
 	char path[PATH_MAX];
 	int devnull_fd = -1;
 	struct lxc_handler *handler = data;
+	bool have_cap_setgid;
+	uid_t new_uid;
+	gid_t new_gid;
 
 	if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
 		SYSERROR("Failed to set signal mask.");
@@ -1009,30 +1012,27 @@ static int do_start(void *data)
 	/* The container has been setup. We can now switch to an unprivileged
 	 * uid/gid.
 	 */
-	if (handler->conf->is_execute) {
-		bool have_cap_setgid;
-		uid_t new_uid = handler->conf->init_uid;
-		gid_t new_gid = handler->conf->init_gid;
-
-		/* If we are in a new user namespace we already dropped all
-		 * groups when we switched to root in the new user namespace
-		 * further above. Only drop groups if we can, so ensure that we
-		 * have necessary privilege.
-		 */
-		#if HAVE_LIBCAP
-		have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
-		#else
-		have_cap_setgid = false;
-		#endif
-		if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) {
-			if (lxc_setgroups(0, NULL) < 0)
-				goto out_warn_father;
-		}
+	new_uid = handler->conf->init_uid;
+	new_gid = handler->conf->init_gid;
 
-		if (lxc_switch_uid_gid(new_uid, new_gid) < 0)
+	/* If we are in a new user namespace we already dropped all
+	 * groups when we switched to root in the new user namespace
+	 * further above. Only drop groups if we can, so ensure that we
+	 * have necessary privilege.
+	 */
+	#if HAVE_LIBCAP
+	have_cap_setgid = lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE);
+	#else
+	have_cap_setgid = false;
+	#endif
+	if (lxc_list_empty(&handler->conf->id_map) && have_cap_setgid) {
+		if (lxc_setgroups(0, NULL) < 0)
 			goto out_warn_father;
 	}
 
+	if (lxc_switch_uid_gid(new_uid, new_gid) < 0)
+		goto out_warn_father;
+
 	/* After this call, we are in error because this ops should not return
 	 * as it execs.
 	 */