From 7cfb107f2c5be3cf1368d38d70845fbaec5958a8 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 12 Jul 2017 06:27:01 +1000 Subject: [PATCH] factory: use e{u,g}id as the owner of /run/runc/$id It appears as though these semantics were not fully thought out when implementing them for rootless containers. It is not necessary (and could be potentially dangerous) to set the owner of /run/ctr/$id to be the root inside the container (if user namespaces are being used). Instead, just use the e{g,u}id of runc to determine the owner. Signed-off-by: Aleksa Sarai --- libcontainer/factory_linux.go | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go index 72af513f..42b6f5a0 100644 --- a/libcontainer/factory_linux.go +++ b/libcontainer/factory_linux.go @@ -162,14 +162,6 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err if err := l.Validator.Validate(config); err != nil { return nil, newGenericError(err, ConfigInvalid) } - uid, err := config.HostRootUID() - if err != nil { - return nil, newGenericError(err, SystemError) - } - gid, err := config.HostRootGID() - if err != nil { - return nil, newGenericError(err, SystemError) - } containerRoot := filepath.Join(l.Root, id) if _, err := os.Stat(containerRoot); err == nil { return nil, newGenericError(fmt.Errorf("container with id exists: %v", id), IdInUse) @@ -179,7 +171,7 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err if err := os.MkdirAll(containerRoot, 0711); err != nil { return nil, newGenericError(err, SystemError) } - if err := os.Chown(containerRoot, uid, gid); err != nil { + if err := os.Chown(containerRoot, unix.Geteuid(), unix.Getegid()); err != nil { return nil, newGenericError(err, SystemError) } if config.Rootless {