diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-10-28 15:10:42 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-10-29 09:16:34 +0200 |
| commit | 07bca16fc8b2e3de770a8d6d2910321091765efc (patch) | |
| tree | 1b886a806d6c346e58759088e2f19bdea7971812 /src/nspawn/nspawn-mount.c | |
| parent | Merge pull request #21163 from poettering/scope-no-pid (diff) | |
| download | systemd-07bca16fc8b2e3de770a8d6d2910321091765efc.tar.xz systemd-07bca16fc8b2e3de770a8d6d2910321091765efc.zip | |
nspawn: make sure to chown() implicit source dirs for --bind= to container root UID
This makes sure that a switch like --bind=:/foo does the right thing if
user namespacing is one: the backing dir should be owned by the
container's root UID not the host's. Thus, whenever the source path is
left empty and we automatically generate a source dir as temporary
directory, ensure it's owned by the right UID.
Fixes: #20869
Diffstat (limited to 'src/nspawn/nspawn-mount.c')
| -rw-r--r-- | src/nspawn/nspawn-mount.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index 751e270c6c..2bfff79cde 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -726,6 +726,11 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u return r; } + /* If this is a bind mount from a temporary sources change ownership of the source to the container's + * root UID. Otherwise it would always show up as "nobody" if user namespacing is used. */ + if (m->rm_rf_tmpdir && chown(m->source, uid_shift, uid_shift) < 0) + return log_error_errno(errno, "Failed to chown %s: %m", m->source); + if (stat(m->source, &source_st) < 0) return log_error_errno(errno, "Failed to stat %s: %m", m->source); |