conf: don't report success when idmaptools lack all privilege

Fixes: #3777 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc · Apr 12, 2021 · c0f1dc9 · c0f1dc9
1 parent 24d1ef2
commit c0f1dc9
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
@@ -2816,16 +2816,17 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap)
 	    lxc_file_cap_is_set(path, CAP_SETGID, CAP_EFFECTIVE) &&
 	    lxc_file_cap_is_set(path, CAP_SETGID, CAP_PERMITTED))
 		return log_debug(1, "The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path);
+
+	return 0;
 #else
 	/*
 	 * If we cannot check for file capabilities we need to give the benefit
 	 * of the doubt. Otherwise we might fail even though all the necessary
 	 * file capabilities are set.
 	 */
 	DEBUG("Cannot check for file capabilities as full capability support is missing. Manual intervention needed");
-#endif
-
 	return 1;
+#endif
 }
 
 static int lxc_map_ids_exec_wrapper(void *args)