Pass UID/GID explicitly through flags

Signed-off-by: Patrick Toomey <ptoomey3@biasedcoin.com>

Pass UID/GID explicitly through flags
c5cd20ce · Patrick Toomey · 56f8ff00 · c5cd20ce · c5cd20ce · c5cd20ce
Commit c5cd20ce authored Aug 18, 2015 by Patrick Toomey
Showing with 29 additions and 10 deletions

arguments.h src/lxc/arguments.h +4 -0

conf.c src/lxc/conf.c +0 -3

conf.h src/lxc/conf.h +3 -3

lxc_execute.c src/lxc/lxc_execute.c +14 -2

start.c src/lxc/start.c +8 -2

No files found.
--- a/src/lxc/arguments.h
+++ b/src/lxc/arguments.h
@@ -88,6 +88,10 @@ struct lxc_arguments {
 	char *lvname, *vgname, *thinpool;
 	char *zfsroot, *lowerdir, *dir;
+	/* lxc-execute */
+	uid_t uid;
+	gid_t gid;
 	/* auto-start */
 	int all;
 	int ignore_auto;

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2604,9 +2604,6 @@ struct lxc_conf *lxc_conf_init(void)
 	for (i = 0; i < LXC_NS_MAX; i++)
 		new->inherit_ns_fd[i] = -1;
-	new->parent_uid = getuid();
-	new->parent_gid = getgid();
 	return new;
 }

--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -366,9 +366,9 @@ struct lxc_conf {
 	/* init command */
 	char *init_cmd;
-	/* The UID/GID of the process creating the container */
+	/* the UID/GID that COMMAND for lxc-execute should run under */
-	uid_t parent_uid;
+	uid_t init_uid;
-	gid_t parent_gid;
+	gid_t init_gid;
 };
 #ifdef HAVE_TLS

--- a/src/lxc/lxc_execute.c
+++ b/src/lxc/lxc_execute.c
@@ -59,7 +59,9 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg)
 {
 	switch (c) {
 	case 'f': args->rcfile = arg; break;
-	case 's': return lxc_config_define_add(&defines, arg);
+	case 's': return lxc_config_define_add(&defines, arg); break;
+	case 'u': args->uid = atoi(arg); break;
+	case 'g': args->gid = atoi(arg);
 	}
 	return 0;
 }
@@ -67,6 +69,8 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg)
 static const struct option my_longopts[] = {
 	{"rcfile", required_argument, 0, 'f'},
 	{"define", required_argument, 0, 's'},
+	{"uid", required_argument, 0, 'u'},
+	{"gid", required_argument, 0, 'g'},
 	LXC_COMMON_OPTIONS
 };
@@ -81,7 +85,9 @@ and execs COMMAND into this container.\n\
 Options :\n\
  -n, --name=NAME      NAME for name of the container\n\
  -f, --rcfile=FILE    Load configuration file FILE\n\
-  -s, --define KEY=VAL Assign VAL to configuration variable KEY\n",
+  -s, --define KEY=VAL Assign VAL to configuration variable KEY\n\
+  -u, --uid=UID Execute COMMAND with UID inside the container\n\
+  -g, --gid=GID Execute COMMAND with GID inside the container\n",
 	.options  = my_longopts,
 	.parser   = my_parser,
 	.checker  = my_checker,
@@ -139,6 +145,12 @@ int main(int argc, char *argv[])
 	if (lxc_config_define_load(&defines, conf))
 		return 1;
+	if (my_args.uid)
+		conf->init_uid = my_args.uid;
+	if (my_args.gid)
+		conf->init_gid = my_args.gid;
 	ret = lxc_execute(my_args.name, my_args.argv, my_args.quiet, conf, my_args.lxcpath[0], false);
 	lxc_conf_free(conf);

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -668,8 +668,14 @@ static int do_start(void *data)
 	 * the intent is to execute a command as the original user.
 	 */
 	if (!lxc_list_empty(&handler->conf->id_map)) {
-		gid_t new_gid = handler->conf->is_execute ? handler->conf->parent_gid : 0;
+		gid_t new_gid = 0;
-		gid_t new_uid = handler->conf->is_execute ? handler->conf->parent_uid : 0;
+		if (handler->conf->is_execute && handler->conf->init_gid)
+			new_gid = handler->conf->init_gid;
+		uid_t new_uid = 0;
+		if (handler->conf->is_execute && handler->conf->init_uid)
+			new_uid = handler->conf->init_uid;
 		NOTICE("switching to gid/uid %d/%d in new user namespace", new_gid, new_uid);
 		if (setgid(new_gid)) {
 			SYSERROR("setgid");