Re: [PATCH] [RFC] virSetUIDGID: Don't leak supplementary groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 23, 2015 at 01:48:42PM +0200, Richard Weinberger wrote:
> The LXC driver uses virSetUIDGID() to become UID/GID 0.
> It passes an empty groups list to virSetUIDGID()
> to get rid of all supplementary groups from the host side.
> But virSetUIDGID() calls setgroups() only if the supplied list
> is larger than 0.
> This leads to a container root with unrelated supplementary groups.
> In most cases this issue is unoticed as libvirtd runs as UID/GID 0
> without any supplementary groups.
> 
> Signed-off-by: Richard Weinberger <richard@xxxxxx>
> ---
> I've marked that patch as RFC as I'm not sure if all users of virSetUIDGID()
> expect this behavior too.
> 
> Thanks,
> //richard
> ---
>  src/util/virutil.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/util/virutil.c b/src/util/virutil.c
> index cddc78a..ea697a3 100644
> --- a/src/util/virutil.c
> +++ b/src/util/virutil.c
> @@ -1103,7 +1103,7 @@ virSetUIDGID(uid_t uid, gid_t gid, gid_t *groups ATTRIBUTE_UNUSED,
>      }
>  
>  # if HAVE_SETGROUPS
> -    if (ngroups && setgroups(ngroups, groups) < 0) {
> +    if (setgroups(ngroups, groups) < 0) {

After running unit tests I see this causes a failure in virCommand.
We were using 'ngroups != NULL' as a crude check to skip setgroups()
when unprivileged.

The better way to check this is by doing  'gid != (gid_t_-1' as we
use on the line above which calls setgid(). So I'll push this instead:

-    if (ngroups && setgroups(ngroups, groups) < 0) {
+    if (gid != (gid_t)-1 && setgroups(ngroups, groups) < 0) {
 

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]