From: Patrick Toomey Date: Tue, 18 Aug 2015 22:26:28 +0000 (-0600) Subject: Pass UID/GID explicitly through flags X-Git-Tag: lxc-2.0.0.beta1~164^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5cd20ce8e2d36ff26da4deb22f0bc29484da74a;p=thirdparty%2Flxc.git Pass UID/GID explicitly through flags Signed-off-by: Patrick Toomey --- diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h index cc85f863f..0f2049b8c 100644 --- a/src/lxc/arguments.h +++ b/src/lxc/arguments.h @@ -88,6 +88,10 @@ struct lxc_arguments { char *lvname, *vgname, *thinpool; char *zfsroot, *lowerdir, *dir; + /* lxc-execute */ + uid_t uid; + gid_t gid; + /* auto-start */ int all; int ignore_auto; diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 429217401..9870455b3 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2604,9 +2604,6 @@ struct lxc_conf *lxc_conf_init(void) for (i = 0; i < LXC_NS_MAX; i++) new->inherit_ns_fd[i] = -1; - new->parent_uid = getuid(); - new->parent_gid = getgid(); - return new; } diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 47d4407e7..0087586e4 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -366,9 +366,9 @@ struct lxc_conf { /* init command */ char *init_cmd; - /* The UID/GID of the process creating the container */ - uid_t parent_uid; - gid_t parent_gid; + /* the UID/GID that COMMAND for lxc-execute should run under */ + uid_t init_uid; + gid_t init_gid; }; #ifdef HAVE_TLS diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c index 4f1e1f674..4f42236e3 100644 --- a/src/lxc/lxc_execute.c +++ b/src/lxc/lxc_execute.c @@ -59,7 +59,9 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg) { switch (c) { case 'f': args->rcfile = arg; break; - case 's': return lxc_config_define_add(&defines, arg); + case 's': return lxc_config_define_add(&defines, arg); break; + case 'u': args->uid = atoi(arg); break; + case 'g': args->gid = atoi(arg); } return 0; } @@ -67,6 +69,8 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg) static const struct option my_longopts[] = { {"rcfile", required_argument, 0, 'f'}, {"define", required_argument, 0, 's'}, + {"uid", required_argument, 0, 'u'}, + {"gid", required_argument, 0, 'g'}, LXC_COMMON_OPTIONS }; @@ -81,7 +85,9 @@ and execs COMMAND into this container.\n\ Options :\n\ -n, --name=NAME NAME for name of the container\n\ -f, --rcfile=FILE Load configuration file FILE\n\ - -s, --define KEY=VAL Assign VAL to configuration variable KEY\n", + -s, --define KEY=VAL Assign VAL to configuration variable KEY\n\ + -u, --uid=UID Execute COMMAND with UID inside the container\n\ + -g, --gid=GID Execute COMMAND with GID inside the container\n", .options = my_longopts, .parser = my_parser, .checker = my_checker, @@ -139,6 +145,12 @@ int main(int argc, char *argv[]) if (lxc_config_define_load(&defines, conf)) return 1; + if (my_args.uid) + conf->init_uid = my_args.uid; + + if (my_args.gid) + conf->init_gid = my_args.gid; + ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0], false); lxc_conf_free(conf); diff --git a/src/lxc/start.c b/src/lxc/start.c index eb6b94df8..845621706 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -668,8 +668,14 @@ static int do_start(void *data) * the intent is to execute a command as the original user. */ if (!lxc_list_empty(&handler->conf->id_map)) { - gid_t new_gid = handler->conf->is_execute ? handler->conf->parent_gid : 0; - gid_t new_uid = handler->conf->is_execute ? handler->conf->parent_uid : 0; + gid_t new_gid = 0; + if (handler->conf->is_execute && handler->conf->init_gid) + new_gid = handler->conf->init_gid; + + uid_t new_uid = 0; + if (handler->conf->is_execute && handler->conf->init_uid) + new_uid = handler->conf->init_uid; + NOTICE("switching to gid/uid %d/%d in new user namespace", new_gid, new_uid); if (setgid(new_gid)) { SYSERROR("setgid");