lxc-checkconfig: verify new[ug]idmap are setuid-root

Signed-off-by: Serge Hallyn <serge@hallyn.com>

diff --git a/src/lxc/tools/lxc-checkconfig.in b/src/lxc/tools/lxc-checkconfig.in
index 61627e0f83cfb6fed3162a3b668e5a37e69d18fb..4182191f6655ed7076a9f217f4b0c80b83dd264e 100644 (file)
--- a/src/lxc/tools/lxc-checkconfig.in
+++ b/src/lxc/tools/lxc-checkconfig.in
@@ -88,6 +88,24 @@ echo -n "Utsname namespace: " && is_enabled CONFIG_UTS_NS
 echo -n "Ipc namespace: " && is_enabled CONFIG_IPC_NS yes
 echo -n "Pid namespace: " && is_enabled CONFIG_PID_NS yes
 echo -n "User namespace: " && is_enabled CONFIG_USER_NS
+if is_set CONFIG_USER_NS; then
+       if type newuidmap > /dev/null 2>&1; then
+               f=`type -P newuidmap`
+               if [ ! -u "${f}" ]; then
+                       echo "Warning: newuidmap is not setuid-root"
+               fi
+       else
+               echo "newuidmap is not installed"
+       fi
+       if type newgidmap > /dev/null 2>&1; then
+               f=`type -P newgidmap`
+               if [ ! -u "${f}" ]; then
+                       echo "Warning: newgidmap is not setuid-root"
+               fi
+       else
+               echo "newgidmap is not installed"
+       fi
+fi
 echo -n "Network namespace: " && is_enabled CONFIG_NET_NS
 if ([ $KVER_MAJOR -lt 4 ]) || ([ $KVER_MAJOR -eq 4 ] && [ $KVER_MINOR -lt 7 ]); then
        echo -n "Multiple /dev/pts instances: " && is_enabled DEVPTS_MULTIPLE_INSTANCES