X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=lxcsu;h=85b1ff72826c38d005845c67ef5895a530c424fb;hb=df40f9604c78752536de9314f1f03744531d7915;hp=ebc3cf59596c6bc02e806c91b47974ef24a190a8;hpb=2adecab2c9595529b4748c50f78f02a09c8264e8;p=lxc-userspace.git diff --git a/lxcsu b/lxcsu index ebc3cf5..85b1ff7 100755 --- a/lxcsu +++ b/lxcsu @@ -7,8 +7,6 @@ import pdb from argparse import ArgumentParser -drop_capabilities='cap_sys_admin,cap_sys_boot,cap_sys_module' - # can set to True here, but also use the -d option debug = False @@ -105,7 +103,8 @@ def main (): # convert to int as a minimal raincheck driver_pid = int(os.popen(cmd).read().strip()) # locate the pid for the - expected - single child, that would be the init for that VM - init_pid = int(open("/proc/%s/task/%s/children"%(driver_pid,driver_pid)).read().strip()) + #init_pid = int(open("/proc/%s/task/%s/children"%(driver_pid,driver_pid)).read().strip()) + init_pid = int(os.popen('pgrep -P %s'%driver_pid).readlines()[0].strip()) # Thierry: I am changing the code below to use child_pid instead of driver_pid # for the namespace handling features, that I was able to check # I've left the other ones as they were, i.e. using driver_pid, but I suspect @@ -231,19 +230,6 @@ def main (): fork_pid = os.fork() - # capsh has a --user option starting with f14 - # so if only for f12 we need to fake this one - # - # capsh.c does essentially the following when invoked with --user: - # pwd = getpwnam(user); ... - # ngroups = MAX_GROUPS; - # status = getgrouplist(user, pwd->pw_gid, groups, &ngroups); ... - # status = setgroups(ngroups, groups); ... - # status = setgid(pwd->pw_gid); ... - # status = setuid(pwd->pw_uid); ... - # however we cannot simulate that ourselves because if we did in this process then - # capsh could not be allowed to mess with caps any more - def getuid (slicename): import pwd try: @@ -252,22 +238,21 @@ def main (): return if (fork_pid == 0): - cap_arg = '--drop='+drop_capabilities - if (not args.root): + setns.drop_caps() if (args.nosliceuid): # we still want to drop capabilities, but don't want to switch UIDs - exec_args = [arch,'/usr/sbin/capsh',cap_arg,'--','--login',]+args.command_to_run + exec_args = [arch,'/bin/sh','--login',]+args.command_to_run else: uid = getuid (slice_name) if not uid: print "lxcsu could not spot %s in /etc/passwd - exiting"%slice_name exit(1) - exec_args = [arch,'/usr/sbin/capsh',cap_arg,'--uid=%s'%uid,'--','--login',]+args.command_to_run + exec_args = [arch,'/bin/sh','--uid=%s'%uid,'--login',]+args.command_to_run # once we can drop f12, it would be nicer to instead go for -# exec_args = [arch,'/usr/sbin/capsh',cap_arg,'--user=%s'%slice_name,'--','--login',]+args.command_to_run +# exec_args = [arch,'/usr/sbin/capsh',cap_arg,'--user=%s'%slice_name,'--login',]+args.command_to_run else: - exec_args = [arch,'/usr/sbin/capsh','--','--login']+args.command_to_run + exec_args = [arch,'/bin/sh','--login']+args.command_to_run os.environ['SHELL'] = '/bin/sh' if os.path.exists('/etc/planetlab/lib/bind_public.so'):