chown_mapped_root: don't try chgrp if we don't own the file

New kernels require that to have privilege over a file, your userns must have the old and new groups mapped into your userns. So if a file is owned by our uid but another groupid, then we have to chgrp the file to our primary group before we can try (in a new user namespace) to chgrp the file to a group id in the namespace. But in some cases (when cloning) the file may already be mapped into the container. Now we cannot chgrp the file to our own primary group - and we don't have to. So detect that case. Only try to chgrp the file to our primary group if the file is owned by our euid (i.e. not by the container) and the owning group is not already mapped into the container by default. With this patch, I'm again able to both create and clone containers with no errors again. Reported-by: S.Çağlar Onur <caglar@10ur.org> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

chown_mapped_root: don't try chgrp if we don't own the file
a8fe4754 · Serge Hallyn · Stéphane Graber · 82866e3c · a8fe4754
Commit a8fe4754 authored Jul 03, 2014 by Serge Hallyn Committed by Stéphane Graber Jul 03, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

conf.c src/lxc/conf.c +8 -3

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3565,9 +3565,14 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
 			return -1;
 		}

-		// a trick for chgrp the file that is not owned by oneself
-		if (chown(path, -1, hostgid) < 0) {
-			ERROR("Error chgrp %s", path);
+		/*
+		 * A file has to be group-owned by a gid mapped into the
+		 * container, or the container won't be privileged over it.
+		 */
+		if (sb.st_uid == geteuid() &&
+				mapped_hostid(sb.st_gid, conf, ID_TYPE_GID) < 0 &&
+				chown(path, -1, hostgid) < 0) {
+			ERROR("Failed chgrping %s", path);
 			return -1;
 		}