From: Lennart Poettering Date: Thu, 28 Oct 2021 13:10:42 +0000 (+0200) Subject: nspawn: make sure to chown() implicit source dirs for --bind= to container root UID X-Git-Tag: v250-rc1~385 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=07bca16fc8b2e3de770a8d6d2910321091765efc;p=thirdparty%2Fsystemd.git nspawn: make sure to chown() implicit source dirs for --bind= to container root UID This makes sure that a switch like --bind=:/foo does the right thing if user namespacing is one: the backing dir should be owned by the container's root UID not the host's. Thus, whenever the source path is left empty and we automatically generate a source dir as temporary directory, ensure it's owned by the right UID. Fixes: #20869 --- diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index 751e270c6cf..2bfff79cde5 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -726,6 +726,11 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u return r; } + /* If this is a bind mount from a temporary sources change ownership of the source to the container's + * root UID. Otherwise it would always show up as "nobody" if user namespacing is used. */ + if (m->rm_rf_tmpdir && chown(m->source, uid_shift, uid_shift) < 0) + return log_error_errno(errno, "Failed to chown %s: %m", m->source); + if (stat(m->source, &source_st) < 0) return log_error_errno(errno, "Failed to stat %s: %m", m->source);