Re: [RFC PATCH] Solaris least privilege

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 24, 2008 at 03:04:56PM +0100, John Levon wrote:
> On Thu, Apr 24, 2008 at 09:54:19AM -0400, Daniel Veillard wrote:
> 
> >   in general the idea of removing all those geteid() == 0 and replacing
> > them like xenHavePrivilege() is a good one. The patch includes stuff which
> > is not strictly related like the virsh console cleanup which should be
> > separated.
> 
> Sure, at merge time everything will be split up appropriately. BTW, it
> is related very much: only xenconsole has privilege to connect to Xen
> consoles.

In that case we should definitel split the 'virsh console' impl out into
a separate binary, so we can use the non-Xen specific codebase and stil
maintain your privilege separation.

> > Also it seems you use some socket auth extensions to detect the
> > uid of the other process, we do that already in qemud/qemud.c see
> > function qemudGetSocketIdentity() , maybe we should abstract that in the
> > util.c module and provide the _sun version there.
> 
> It's not about UID but privilege. The Identity stuff is only used under
> HAVE_POLKIT, so I'm not sure there's much commonality that can be
> abstracted. Can you describe further what you would expect it to look
> like?

Although we don't use the qemudGetSocketIdentity() anyway other than under
the POLKIT code, this may change in the future, so it'd just be convenient
to have a Solaris impl there. We can change the #if HAVE_POLKIT to be
#ifdef HAVE_POLKIT || __sun, so the method is available to the privilege
checking code too.

Dan
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]