Re: [RFC PATCH 5/6] LXC: create tty device with proper permission for container

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2013/03/13 19:08, Daniel P. Berrange wrote:
> On Mon, Mar 11, 2013 at 02:26:51PM +0800, Gao feng wrote:
>> Since the root user of container may be a normal
>> user on host, we should make sure the container
>> has rights to use the tty device.
>>
>> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
>> ---
>>  src/lxc/lxc_controller.c | 8 ++++++--
>>  1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
>> index c6f8c3b..4715f84 100644
>> --- a/src/lxc/lxc_controller.c
>> +++ b/src/lxc/lxc_controller.c
>> @@ -1311,6 +1311,7 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
>>      char *opts = NULL;
>>      char *devpts = NULL;
>>      int ret = -1;
>> +    uid_t uid = 0;
>>  
>>      if (!root) {
>>          if (ctrl->nconsoles != 1) {
>> @@ -1367,10 +1368,13 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
>>          goto cleanup;
>>      }
>>  
>> +    if (ctrl->def->os.userns == VIR_DOMAIN_USER_NS_ENABLED)
>> +        uid = ctrl->def->os.uidmap.low_first;
>> +
>>      /* XXX should we support gid=X for X!=5 for distros which use
>>       * a different gid for tty?  */
>> -    if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s",
>> -                    (mount_options ? mount_options : "")) < 0) {
>> +    if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,uid=%d,gid=5%s",
>> +                    uid, (mount_options ? mount_options : "")) < 0) {
>>          virReportOOMError();
>>          goto cleanup;
>>      }
> 
> This is bogus, if no 'uid' parameter is set for devpts, then the
> PTYs that are created automatically get given the uid associated
> with the calling process, which is what you want. With this change,
> you are hardcoding the 'uid' regardless of what UID the process in
> the container is running as, which will break things if any container
> process changes its uid. 
> 

Thanks for teaching me this!
What we should do is change the owner of /dev/pts/x to the low_first user.
I am right?

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]