On 2013/03/13 19:08, Daniel P. Berrange wrote:
> On Mon, Mar 11, 2013 at 02:26:51PM +0800, Gao feng wrote:
>> Since the root user of container may be a normal
>> user on host, we should make sure the container
>> has rights to use the tty device.
>>
>> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
>> ---
>> src/lxc/lxc_controller.c | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
>> index c6f8c3b..4715f84 100644
>> --- a/src/lxc/lxc_controller.c
>> +++ b/src/lxc/lxc_controller.c
>> @@ -1311,6 +1311,7 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
>> char *opts = NULL;
>> char *devpts = NULL;
>> int ret = -1;
>> + uid_t uid = 0;
>>
>> if (!root) {
>> if (ctrl->nconsoles != 1) {
>> @@ -1367,10 +1368,13 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
>> goto cleanup;
>> }
>>
>> + if (ctrl->def->os.userns == VIR_DOMAIN_USER_NS_ENABLED)
>> + uid = ctrl->def->os.uidmap.low_first;
>> +
>> /* XXX should we support gid=X for X!=5 for distros which use
>> * a different gid for tty? */
>> - if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s",
>> - (mount_options ? mount_options : "")) < 0) {
>> + if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,uid=%d,gid=5%s",
>> + uid, (mount_options ? mount_options : "")) < 0) {
>> virReportOOMError();
>> goto cleanup;
>> }
>
> This is bogus, if no 'uid' parameter is set for devpts, then the
> PTYs that are created automatically get given the uid associated
> with the calling process, which is what you want. With this change,
> you are hardcoding the 'uid' regardless of what UID the process in
> the container is running as, which will break things if any container
> process changes its uid.
>
Thanks for teaching me this!
What we should do is change the owner of /dev/pts/x to the low_first user.
I am right?
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list