On Tue, Jun 07, 2016 at 18:04:24 +0200, Peter Krempa wrote:
> Since introduction of the DAC security driver we've documented that
> seclabels with a leading + can be used with numerical uid. This would
> not work though with the rest of libvirt if the uid was not actually
> used in the system as we'd fail when trying to get a list of
> suplementary groups for the given uid. Since a uid without entry in
> /etc/passwd (or other user database) will not have any suppolementary
> groups we can treat the failure to obtain them as such.
>
> This patch modifies virGetGroupList to not report the error of missing
> user and tweaks callers to treat the missing list as having 0
> supplementary groups.
>
> The only place reporting errors is virt-login-shell as it's used to
> determine whether the given user is allowed to access the shell.
> ---
> With this I'm able to run the VM with any arbitrary UID/GID.
>
> CC: Roy Keene <rkeene@xxxxxxxxxxxxxxx>
> CC: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
>
> src/security/security_dac.c | 12 +++++++-----
> src/util/vircommand.c | 4 +++-
> src/util/virfile.c | 28 ++++++++++++++++------------
> src/util/virutil.c | 25 ++++++++++++++++---------
> tools/virt-login-shell.c | 6 +++++-
> 5 files changed, 47 insertions(+), 28 deletions(-)
And my patch doesn't even compile ...
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 442ce70..e8af093 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -269,11 +269,13 @@ virSecurityDACPreFork(virSecurityManagerPtr mgr)
> int ngroups;
Since I forgot to ammend nuking of the above local variable and a
missing comma.
Consider the followin squashed in:
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index e8af093..9dec201 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -266,7 +266,6 @@ static int
virSecurityDACPreFork(virSecurityManagerPtr mgr)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
- int ngroups;
VIR_FREE(priv->groups);
diff --git a/tools/virt-login-shell.c b/tools/virt-login-shell.c
index b63bf6a..92a1651 100644
--- a/tools/virt-login-shell.c
+++ b/tools/virt-login-shell.c
@@ -251,7 +251,7 @@ main(int argc, char **argv)
if ((ngroups = virGetGroupList(uid, gid, &groups)) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
- _("failed to query supplementary group list for uid '%u'")
+ _("failed to query supplementary group list for uid '%u'"),
(unsigned int) uid);
goto cleanup;
}
Peter
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list