On Tue, Jun 23, 2015 at 01:48:42PM +0200, Richard Weinberger wrote: > The LXC driver uses virSetUIDGID() to become UID/GID 0. > It passes an empty groups list to virSetUIDGID() > to get rid of all supplementary groups from the host side. > But virSetUIDGID() calls setgroups() only if the supplied list > is larger than 0. > This leads to a container root with unrelated supplementary groups. > In most cases this issue is unoticed as libvirtd runs as UID/GID 0 > without any supplementary groups. > > Signed-off-by: Richard Weinberger <richard@xxxxxx> > --- > I've marked that patch as RFC as I'm not sure if all users of virSetUIDGID() > expect this behavior too. ACK & pushed - I concur with Martin that this is good practice. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list