[pve-devel] applied: [PATCH cluster] pmxcfs: do not grant LXC configs o+r permissions anymore

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Oct 7 16:06:57 CEST 2020


This was initially done because of some hook reading the config from
an unprivileged namespace when using unprivileged containers.

But, we nowadays do not do this anymore, either setup stuff before to
or use another source for getting required information (e.g., our
autodev hook uses "/var/lib/lxc/$vmid/devices").

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---

This cas some potential for fall-out, so we should watch it closely.
My CTs, both privileged and unprivileged start just fine.
Talked a bit with Dominik and Wolfgang B., plus audited the CT hooks;
it really seems not required anymore.
If there's a regression, we rather should fix that in another way than makeing
CT configs world readable..

 data/src/pmxcfs.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/data/src/pmxcfs.c b/data/src/pmxcfs.c
index 40ee6cd..d78a248 100644
--- a/data/src/pmxcfs.c
+++ b/data/src/pmxcfs.c
@@ -142,11 +142,7 @@ static int cfs_fuse_getattr(const char *path, struct stat *stbuf)
 			if (S_ISDIR(stbuf->st_mode) || S_ISLNK(stbuf->st_mode)) {
 				stbuf->st_mode &= 0777755; // access for other users
 			} else {
-				if (path_is_lxc_conf(path)) {
-					stbuf->st_mode &= 0777755; // access for other users
-				} else {
-					stbuf->st_mode &= 0777750; // no access for other users
-				}
+				stbuf->st_mode &= 0777750; // no access for other users
 			}
 		}
 	}
-- 
2.20.1






More information about the pve-devel mailing list