Merge pull request #2390 from 3XX0/conf-no-force-shadow

conf: only use newuidmap and newgidmap when necessary

Merge pull request #2390 from 3XX0/conf-no-force-shadow
79fcf759 · Christian Brauner · GitHub · 287c5df9 · c724025c · 79fcf759
Unverified Commit 79fcf759 authored Jun 10, 2018 by Christian Brauner Committed by GitHub Jun 10, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

conf.c src/lxc/conf.c +23 -1

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2845,6 +2845,10 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 	int ret = 0, gidmap = 0, uidmap = 0;
 	char mapbuf[9 + 1 + LXC_NUMSTRLEN64 + 1 + LXC_IDMAPLEN] = {0};
 	bool had_entry = false, use_shadow = false;
+	int hostuid, hostgid;
+
+	hostuid = geteuid();
+	hostgid = getegid();

 	/* If new{g,u}idmap exists, that is, if shadow is handing out subuid
 	 * ranges, then insist that root also reserve ranges in subuid. This
@@ -2873,7 +2877,25 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 		 * doing so by requiring geteuid() == 0.
 		 */
 		DEBUG("No newuidmap and newgidmap binary found. Trying to "
-		      "write directly with euid %d", geteuid());
+		      "write directly with euid %d", hostuid);
+	}
+
+	/* Check if we really need to use newuidmap and newgidmap.
+	* If the user is only remapping his own {g,u}id, we don't need it.
+	*/
+	if (use_shadow && lxc_list_len(idmap) == 2) {
+		use_shadow = false;
+		lxc_list_for_each(iterator, idmap) {
+			map = iterator->elem;
+			if (map->idtype == ID_TYPE_UID && map->range == 1 &&
+			    map->nsid == hostuid && map->hostid == hostuid)
+				continue;
+			if (map->idtype == ID_TYPE_GID && map->range == 1 &&
+			    map->nsid == hostgid && map->hostid == hostgid)
+				continue;
+			use_shadow = true;
+			break;
+		}
 	}

 	for (type = ID_TYPE_UID, u_or_g = 'u'; type <= ID_TYPE_GID;