Re: [PATCH] [RFC] virSetUIDGID: Don't leak supplementary groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 18, 2015 at 07:35:39AM +0100, Martin Kletzander wrote:
> On Tue, Nov 17, 2015 at 10:02:36PM +0100, Richard Weinberger wrote:
> >On Wed, Jun 24, 2015 at 11:19 AM, Martin Kletzander <mkletzan@xxxxxxxxxx> wrote:
> >>On Tue, Jun 23, 2015 at 01:48:42PM +0200, Richard Weinberger wrote:
> >>>
> >>>The LXC driver uses virSetUIDGID() to become UID/GID 0.
> >>>It passes an empty groups list to virSetUIDGID()
> >>>to get rid of all supplementary groups from the host side.
> >>>But virSetUIDGID() calls setgroups() only if the supplied list
> >>>is larger than 0.
> >>>This leads to a container root with unrelated supplementary groups.
> >>>In most cases this issue is unoticed as libvirtd runs as UID/GID 0
> >>>without any supplementary groups.
> >>>
> >>>Signed-off-by: Richard Weinberger <richard@xxxxxx>
> >>>---
> >>>I've marked that patch as RFC as I'm not sure if all users of
> >>>virSetUIDGID()
> >>>expect this behavior too.
> >>>
> >>
> >>I went through the callers and I see no reason why setgroups should
> >>not be called.  ACK.  I also can't think of a use case in which we'd
> >>like to keep the supplemental groups.
> >
> >Ping?
> >
> 
> Oh, sorry, I didn't realize you don't have push access.  Would you
> happen to have these patches around somewhere?  The originals got
> archived automatically.  If you send them to me, I'll push them, it
> would be easier than me sucking it out of the ML archive (the same
> applies for the other patch: "bind mount container TTYs").

Don't worry, I've pushed them all.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]