On 07.06.2016 18:04, Peter Krempa wrote: > Since introduction of the DAC security driver we've documented that > seclabels with a leading + can be used with numerical uid. This would > not work though with the rest of libvirt if the uid was not actually > used in the system as we'd fail when trying to get a list of > suplementary groups for the given uid. Since a uid without entry in > /etc/passwd (or other user database) will not have any suppolementary > groups we can treat the failure to obtain them as such. > > This patch modifies virGetGroupList to not report the error of missing > user and tweaks callers to treat the missing list as having 0 > supplementary groups. > > The only place reporting errors is virt-login-shell as it's used to > determine whether the given user is allowed to access the shell. > --- > With this I'm able to run the VM with any arbitrary UID/GID. > > CC: Roy Keene <rkeene@xxxxxxxxxxxxxxx> > CC: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > src/security/security_dac.c | 12 +++++++----- > src/util/vircommand.c | 4 +++- > src/util/virfile.c | 28 ++++++++++++++++------------ > src/util/virutil.c | 25 ++++++++++++++++--------- > tools/virt-login-shell.c | 6 +++++- > 5 files changed, 47 insertions(+), 28 deletions(-) > > diff --git a/src/security/security_dac.c b/src/security/security_dac.c > index 442ce70..e8af093 100644 > --- a/src/security/security_dac.c > +++ b/src/security/security_dac.c > @@ -269,11 +269,13 @@ virSecurityDACPreFork(virSecurityManagerPtr mgr) > int ngroups; > > VIR_FREE(priv->groups); > - priv->ngroups = 0; > - if ((ngroups = virGetGroupList(priv->user, priv->group, > - &priv->groups)) < 0) > - return -1; > - priv->ngroups = ngroups; > + > + /* ignore a possible problem in getting supplementary groups just assume > + * we have none and continue with uid/gid only */ > + if ((priv->ngroups = virGetGroupList(priv->user, priv->group, > + &priv->groups)) < 0) > + priv->ngroups = 0; > + This will ignore just any kinds of error. But I guess that we want anyway. ACK Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list