[Devel] [PATCH v2 5/6] add user mismatch test

Glauber Costa glommer at parallels.com
Tue Mar 12 02:58:37 PDT 2013


In theory, we won't be able to run if our private area is not owned by
ourselves.  We could, if it have very wide open security permissions, but we
should never set up a container like that.

Aside from a basic sanity check, this is intended to catch problems for the few
people who may have already created containers that will be owned by root:root,
and will now try to run it unprivileged.

Signed-off-by: Glauber Costa <glommer at parallels.com>
---
 src/lib/env.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/lib/env.c b/src/lib/env.c
index 75e2dee..d3b8cd0 100644
--- a/src/lib/env.c
+++ b/src/lib/env.c
@@ -30,6 +30,7 @@
 #include <linux/reboot.h>
 #include <sys/mount.h>
 #include <sys/utsname.h>
+#include <sys/stat.h>
 
 #include "vzerror.h"
 #include "res.h"
@@ -567,6 +568,18 @@ int vps_start_custom(vps_handler *h, envid_t veid, vps_param *param,
 		logger(-1, 0, "Container is already running");
 		return VZ_VE_RUNNING;
 	}
+	if (!is_vz_kernel(h) && h->can_join_userns) {
+		struct stat private_stat;
+		stat(res->fs.private, &private_stat);
+		if ((private_stat.st_uid != *res->misc.local_uid) ||
+			(private_stat.st_gid != *res->misc.local_gid)) {
+			logger(-1, 0, "Container private area is owned by %d:%d"
+			", but configuration file says we should run with %lu:%lu.\n"
+			"Refusing to run.", private_stat.st_uid, private_stat.st_gid,
+			*res->misc.local_uid, *res->misc.local_gid);
+			return VZ_FS_BAD_TMPL;
+		}
+	}
 	if ((ret = check_ub(h, &res->ub)))
 		return ret;
 
-- 
1.7.11.7




More information about the Devel mailing list