[pve-devel] [PATCH container 2/3] create: open templates as real root

Dietmar Maurer dietmar at proxmox.com
Mon Jun 26 11:44:20 CEST 2017 


> On June 26, 2017 at 9:32 AM Wolfgang Bumiller <w.bumiller at proxmox.com> wrote:
> 
> 
> When creating an unprivileged container previously couldn't
> open template files the unprivileged namespace did not have
> access to. This fixes that.
> 
> Note that we cannot pass the file via stdin since tar will
> then refuse to extract compressed archives automatically.
> ---
> This fixes #1427 but I'd still like uploaded templates (and only
> templates) to become world readable, so not marking it in the commit
> message.
> 
>  src/PVE/LXC/Create.pm | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
> index 5b2e5b9..8b9e876 100644
> --- a/src/PVE/LXC/Create.pm
> +++ b/src/PVE/LXC/Create.pm
> @@ -5,6 +5,7 @@ use warnings;
>  use File::Basename;
>  use File::Path;
>  use Data::Dumper;
> +use Fcntl;
>  
>  use PVE::Storage;
>  use PVE::LXC;
> @@ -62,7 +63,17 @@ sub restore_archive {
>      my ($id_map, $rootuid, $rootgid) = PVE::LXC::parse_id_maps($conf);
>      my $userns_cmd = PVE::LXC::userns_command($id_map);
>  
> -    my $cmd = [@$userns_cmd, 'tar', 'xpf', $archive, '--totals',
> +    my $archive_fh;
> +    my $tar_input_file = '-';
> +    if ($archive ne '-') {
> +	sysopen($archive_fh, $archive, O_RDONLY)
> +	    or die "failed to open '$archive': $!\n";
> +	$tar_input_file = '/proc/self/fd/'.fileno($archive_fh);
> +	my $flags = $archive_fh->fcntl(Fcntl::F_GETFD(), 0);
> +	$archive_fh->fcntl(Fcntl::F_SETFD(), $flags & ~(Fcntl::FD_CLOEXEC()));
> +    }
> +
> +    my $cmd = [@$userns_cmd, 'tar', 'xpf', $tar_input_file, '--totals',
>                 @$PVE::LXC::COMMON_TAR_FLAGS,
>                 '-C', $rootdir];
>  
> @@ -79,9 +90,11 @@ sub restore_archive {
>  	eval { PVE::Tools::run_command($cmd, input => "<&STDIN"); };
>      } else {
>  	print "extracting archive '$archive'\n";
> -	eval { PVE::Tools::run_command($cmd); };
> +	eval { PVE::Tools::run_command($cmd, input => '<&'.fileno($archive_fh)); };

I guess this is no longer required?

>      }
> -    die $@ if $@ && !$no_unpack_error;
> +    my $err = $@;
> +    close($archive_fh) if defined $archive_fh;
> +    die $err if $err && !$no_unpack_error;
>  
>      # if arch is set, we do not try to autodetect it
>      return if defined($conf->{arch});
> -- 
> 2.11.0
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list