[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lxc-users
Subject:    [Lxc-users] lxc-setuid - does setuid for scripts work?
From:       jasim.ab () gmail ! com (Jasim A Basheer)
Date:       2011-08-12 13:02:24
Message-ID: CAEQbLHVxR-DA8qQY6f4p=UzzCYP40Rxt2u7QcpxiLnP4S1XTyw () mail ! gmail ! com
[Download RAW message or body]

On Tue, Aug 9, 2011 at 9:20 PM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
> On 08/09/2011 05:31 PM, Jasim A Basheer wrote:
>> Hello,
>>
>> I needed a way to get lxc-create and lxc-execute to run as root when
>> invoked through a process with normal privileges. Found that the
>> lxc-setuid utility exists which assigns the uid bit to all the lxc
>> scripts.
>>
>> But this does not work for me since Linux distros doesn't respect the
>> setuid bit for scripts.
>> (https://answers.launchpad.net/ubuntu/+question/9920,
>> http://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts)
>>
>> 1. I think I'm missing something here, but since setuid for shell
>> scripts are insecure and not supported, is there a reason why the
>> lxc-setuid script exist at all ?
>
> Some commands like lxc-start need some privilege to create the container:
> ?* create the cgroup
> ?* clone a new namespace
> ?* mount
> ?* etc ...
>
> The posix file capabilities are used to give the right privileges to
> these commands, this is what does lxc-setcap.
> But the file capabilities are not supported on NFS, so if you have the
> tools installed on such file system, the lxc-setuid can be used instead.
>
> This is useful if you want to launch a non-root application in a
> container, for instance, lxc-execute -n foo /bin/bash
>
> The script are used to create a rootfs filesystem with the right lxc
> configuration. Most of the commands used in these scripts need root
> privileges. It is considered you need to be root to run these scripts.
>
>> 2. Apart from writing a C front-end with setuid set, is there a way to
>> get the lxc scripts to run from a process owned by a normal user?
> Why don't you configure your host to grant sudo access for
> lxc-create/lxc-destroy command ?
>
>
>

I got it working by granting sudo access to just lxc-create and
lxc-destroy. Thank you.



[prev in list] [next in list] [prev in thread] [next in thread]