Re: [PATCHv2 14/15] util: maintain caps when running command with uid != 0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/12/2013 01:15 PM, Laine Stump wrote:
> virCommand was previously calling virSetUIDGID() to change the uid and
> gid of the child process, then separately calling
> virSetCapabilities(). This did not work if the desired uid was != 0,
> since a setuid to anything other than 0 normally clears all
> capabilities bits.
> 
> The solution is to use the new virSetUIDGIDWithCaps(), sending it the
> uid, gid, and capabilities bits. This will get the new process setup
> properly.
> 
> Since the static functions virSetCapabilities() and
> virClearCapabilities are no longer called, they have been removed.
> 
> NOTE: When combined with "filecap $path-to-qemu sys_rawio", this patch
> will make CAP_SYS_RAWIO (which is required for passthrough of generic
> scsi commands to a guest - see commits e8daeeb, 177db08, 397e6a7, and
> 74e0349) be retained by qemu when necessary. Apparently that
> capability has been broken for non-root qemu every since it was

s/every/ever/

> originally added.
> ---
> Change from V1: s/todo/to do/ in comment
> 
> I didn't do anything about issuing a warning if CAPNG isn't present,
> because we previously haven't done that, and I think it would clutter
> the log terribly on any platform that didn't have libcapng.

Fair enough.  Maybe if there were a way to do a one-shot logging it
might be helpful; but as there is no change in logging behavior (not
logging either before or after this patch), that could be deferred to a
later patch if we ever want it.

ACK.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]