[pve-devel] applied: [PATCH cluster] pmxcfs: do not grant LXC configs o+r permissions anymore
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Oct 7 16:06:57 CEST 2020
This was initially done because of some hook reading the config from
an unprivileged namespace when using unprivileged containers.
But, we nowadays do not do this anymore, either setup stuff before to
or use another source for getting required information (e.g., our
autodev hook uses "/var/lib/lxc/$vmid/devices").
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
This cas some potential for fall-out, so we should watch it closely.
My CTs, both privileged and unprivileged start just fine.
Talked a bit with Dominik and Wolfgang B., plus audited the CT hooks;
it really seems not required anymore.
If there's a regression, we rather should fix that in another way than makeing
CT configs world readable..
data/src/pmxcfs.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/data/src/pmxcfs.c b/data/src/pmxcfs.c
index 40ee6cd..d78a248 100644
--- a/data/src/pmxcfs.c
+++ b/data/src/pmxcfs.c
@@ -142,11 +142,7 @@ static int cfs_fuse_getattr(const char *path, struct stat *stbuf)
if (S_ISDIR(stbuf->st_mode) || S_ISLNK(stbuf->st_mode)) {
stbuf->st_mode &= 0777755; // access for other users
} else {
- if (path_is_lxc_conf(path)) {
- stbuf->st_mode &= 0777755; // access for other users
- } else {
- stbuf->st_mode &= 0777750; // no access for other users
- }
+ stbuf->st_mode &= 0777750; // no access for other users
}
}
}
--
2.20.1
More information about the pve-devel
mailing list