On Mon, Jun 22, 2009 at 08:58:27PM +0100, Daniel P. Berrange wrote: > > This sets up some basic support in libvirtd for dropping privileges > by removing capabilities, or changing uid/gid of the process. It > needed a little movement of existing code to allow us to drop > privileges in between initializing the daemon and initializing the > drivers. > > As I mentioned in the first mail, this patch doesn't really improve > security of the daemon, since we keep CAP_DAC_OVERRIDE, CAP_SYS_ADMIN > and CAP_NET_ADMIN. I've put comments inline showing why I chose to > keep/exclude each capability. the problem is that the amound of capability we can drop is dependant on the actual set of drivers installed. I have the feeling that each driver should have a method exporting the capabilities it needs and once we have initialized the set of drivers then we should drop to the logical OR'ing of them. I think trying to maintain a global knowledge of all drivers requirement in a central place won't scale well and that's better left to the drivers maintainers. > I also added a helper to util.c for resolving a name to a gid/uid. > > Ignore all the printfs() in the code, those will be removed later > before I submit this again... That said as a first approach that looks fine to me. Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list