From: Andrian Nord Date: Thu, 26 Nov 2009 15:46:25 +0000 (+0100) Subject: "Default" configuration may destroy host system X-Git-Tag: lxc-0.6.5~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2ae79a04567fb8c1181f4d3331d2b7a48889cf3;p=thirdparty%2Flxc.git "Default" configuration may destroy host system If you're running (by mistake or typo) (via lxc-start) container that does not exists it will run with lxc.rootfs=/, meaning that /sbin/init will restart initialization procedure, efficiently messing host's system, that may lead to unpredictable results or even destroy (make inaccessible) host system (by reseting network configuration or something like that). (Actually, it _did_ destroy system of everyone who tested this). Actually, I finally lost any meaning of having such a feature for full-system containers. You may not use hosts's FS - it's described at above. You may not use some temporary directory - that's nonsense. This patch forbinds starting container via lxc-start without rcfile and custom start program, but probably it fixes only small part of problem. I really don't see much sense in such a feature without ability of overriding 'default' setting with command line switches. Anyway, default behaviour should be as save as possible. Signed-off-by: Andrian Nord Signed-off-by: Daniel Lezcano --- diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index b8d03e850..d2471ebba 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -173,6 +173,11 @@ int main(int argc, char *argv[]) return err; } + if (!rcfile && !strcmp("/sbin/init", args[0])) { + ERROR("no configuration file for '/sbin/init' (may crash the host)"); + return err; + } + if (my_args.daemonize) { /* do not chdir as we want to open the log file,