Re: Pass additional environmental variables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12.08.2014 21:09, Sean Noonan wrote:
> We're using sasl+gssapi+kerberos to do authentication for libvirt, 
> including from hypervisor to hypervisor.  However, the environmental 
> variable filtering implemented in libvirt prevents this from working, so 
> we're forced to run a locally patched version.
> 
> Thoughts on the following patch to pass the location of the local 
> credential cache as well?
> 
> --- a/src/util/vircommand.c    2014-01-07 14:14:11.388934108 +0000
> +++ b/src/util/vircommand.c    2014-01-07 14:18:14.725082505 +0000
> @@ -1314,6 +1314,7 @@
> 
>       virCommandAddEnvPair(cmd, "LC_ALL", "C");
> 
> +    virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
>       virCommandAddEnvPassBlockSUID(cmd, "LD_PRELOAD", NULL);
>       virCommandAddEnvPassBlockSUID(cmd, "LD_LIBRARY_PATH", NULL);
>       virCommandAddEnvPassBlockSUID(cmd, "PATH", "/bin:/usr/bin");

I've got some doubts whether this is the correct approach. This will pass the environment variable to every command spawned. Do we really want every command have access to kerberos tickets? On the other hand, we've done this for a limited use case:

commit afc984af2e055b33f7c7b06ccacaf00103d4ce5e
Author:     Michal Privoznik <mprivozn@xxxxxxxxxx>
AuthorDate: Fri Sep 9 15:59:26 2011 +0200
Commit:     Michal Privoznik <mprivozn@xxxxxxxxxx>
CommitDate: Fri Sep 9 15:59:26 2011 +0200

    virnetsocket: Pass KRB5CCNAME env variable
    
    So we can allow GSSAPI authentication for ssh.
    
    Signed-off-by: Matthias Witte <witte@xxxxxxxxxxxxxx>

<patch-snip/>

diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 275b70d..88dc2a4 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -615,6 +615,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
 
     cmd = virCommandNew(binary ? binary : "ssh");
     virCommandAddEnvPassCommon(cmd);
+    virCommandAddEnvPass(cmd, "KRB5CCNAME");
     virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK");
     virCommandAddEnvPass(cmd, "SSH_ASKPASS");
     virCommandAddEnvPass(cmd, "DISPLAY");


Moreover, is KRB5CCNAME enough? What about KRB5_KTNAME?

And regarding the patch itself, I think you want to increase the preallocation constant too:

diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index e775ba6..aa493cd 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -1312,7 +1312,7 @@ virCommandAddEnvPassCommon(virCommandPtr cmd)
     if (!cmd || cmd->has_error)
         return;
 
-    if (VIR_RESIZE_N(cmd->env, cmd->maxenv, cmd->nenv, 9) < 0) {
+    if (VIR_RESIZE_N(cmd->env, cmd->maxenv, cmd->nenv, 10) < 0) {
         cmd->has_error = ENOMEM;
         return;
     }
@@ -1326,6 +1326,7 @@ virCommandAddEnvPassCommon(virCommandPtr cmd)
     virCommandAddEnvPassAllowSUID(cmd, "USER");
     virCommandAddEnvPassAllowSUID(cmd, "LOGNAME");
     virCommandAddEnvPassBlockSUID(cmd, "TMPDIR", NULL);
+    virCommandAddEnvPassBlockSUID(cmd, "KRB5CCNAME", NULL);
 }
 
 /**


Michal

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]