Ubuntu
lxc package

Merge lp:~serge-hallyn/ubuntu/trusty/lxc/lxc-chmod-cache into lp:~ubuntu-branches/ubuntu/trusty/lxc/trusty

  1. Trusty (14.04)
  2. lxc-chmod-cache
  3. Merge into trusty
Proposed by Serge Hallyn
Status: Merged
Merge reported by: Stéphane Graber
Merged at revision: not available
Proposed branch: lp:~serge-hallyn/ubuntu/trusty/lxc/lxc-chmod-cache
Merge into: lp:~ubuntu-branches/ubuntu/trusty/lxc/trusty
Diff against target: 53 lines (+25/-0)
3 files modified
debian/changelog (+10/-0)
debian/lxc.postinst (+9/-0)
debian/rules (+6/-0)
To merge this branch: bzr merge lp:~serge-hallyn/ubuntu/trusty/lxc/lxc-chmod-cache
Reviewer Review Type Date Requested Status
Stéphane Graber Pending
Review via email: mp+192914@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Stéphane Graber (stgraber) wrote :

So I think we should do that for /var/cache/lxc too (to avoid people being able to run an outdated buggy setuid binary).

Also, can't you do that from the existing override_dh_install target (you may have to mkdir -p the path from there)?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I had tried from the existing override_dh_install, at the end. That did not work. To make sure I just added the mkdir before it, and still get

drwxr-xr-x 1 ubuntu ubuntu 0 Oct 28 20:41 lxc

(re-build the package and did dpkg -x to look at the package contents).

Good point about the cache - I'd just remembered that as I was writing the SRU test case.

lp:~serge-hallyn/ubuntu/trusty/lxc/lxc-chmod-cache updated
306. By Serge Hallyn

update: also address /var/cache/lxc

Revision history for this message
Stéphane Graber (stgraber) wrote :

Alright, looks good then.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2013-10-24 16:55:06 +0000
3+++ debian/changelog 2013-10-28 20:44:37 +0000
4@@ -1,3 +1,13 @@
5+lxc (1.0.0~alpha2-0ubuntu5) trusty; urgency=low
6+
7+ * debian/rules and debian/lxc.postinst: set /var/lib/lxc and /var/cache/lxc
8+ to be perms 700. That prevents unprivileged users from running setuid-root
9+ applications. Install that way by default, and for any previous versions,
10+ update the permissions. After this version, respect the user's choice.
11+ (LP: #1244635)
12+
13+ -- Serge Hallyn <serge.hallyn@ubuntu.com> Mon, 28 Oct 2013 12:47:19 -0500
14+
15 lxc (1.0.0~alpha2-0ubuntu4) trusty; urgency=low
16
17 * get_rid_of_lxcpath_anon_idea.patch: allow lxc-stop and lxc-attach to
18
19=== modified file 'debian/lxc.postinst'
20--- debian/lxc.postinst 2013-03-27 20:51:08 +0000
21+++ debian/lxc.postinst 2013-10-28 20:44:37 +0000
22@@ -107,5 +107,14 @@
23 # Try to restart a potential system wide dnsmasq
24 invoke-rc.d dnsmasq restart 2>/dev/null || true
25 fi
26+
27+ # Up to version 1.0.0~alpha2-0ubuntu4 lxc was installed world
28+ # readable. After that version if users want it that way for
29+ # convenience, then that's fine. But one time go ahead and
30+ # forcibly change the permissions.
31+ if dpkg --compare-versions "$2" lt "1.0.0~alpha2-0ubuntu5"; then
32+ chmod 700 /var/lib/lxc
33+ chmod 700 /var/cache/lxc
34+ fi
35 fi
36 exit 0
37
38=== modified file 'debian/rules'
39--- debian/rules 2013-10-20 04:09:54 +0000
40+++ debian/rules 2013-10-28 20:44:37 +0000
41@@ -49,6 +49,12 @@
42 mkdir -p debian/lxc-tests/usr/bin
43 mv debian/lxc/usr/bin/lxc-test-* debian/lxc-tests/usr/bin/
44
45+override_dh_builddeb:
46+ # prevent system users from using setuid-root binaries under /var/lib/lxc
47+ chmod 700 debian/lxc/var/lib/lxc
48+ chmod 700 debian/lxc/var/cache/lxc
49+ dh_builddeb
50+
51 override_dh_installinit:
52 dh_installinit --no-restart-on-upgrade --name=lxc
53 dh_installinit --no-restart-on-upgrade --name=lxc-net

Subscribers

People subscribed via source and target branches

to all changes: