using virSetUIDGID() with unprivileged qemu defeats setuid helper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I recently experienced that my qemu guest (which I'm using with
unprivileged user) fails to start with:

    error: internal error process exited while connecting to monitor: chardev: opening backend "pty" failed

This happens upon trying to facilitate the

    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>

stanzas, for which qemu wants to grab a pty through openpty(3).
openpty needs to have the assigned pty to be chown'd to the qemu
user, which is attempted via running the setuid helper program
pt_chown. However, chown(2) fails with EPERM.

The culprit seems to be the commits

    v1.0.3-rc1~113: util: virSetUIDGIDWithCaps - change uid while keeping caps
    v1.0.3-rc1~112: util: maintain caps when running command with uid != 0

which change how capabilities are manipulated before program execution.

Just immediately before the execve(2) call, the qemu process used to have
the following capabilities:

    CapInh:	0000000000000000
    CapPrm:	0000000000000000
    CapEff:	0000000000000000
    CapBnd:	ffffffffffffffff

since said commits, it looks like:

    CapInh:	0000000000000000
    CapPrm:	0000000000000000
    CapEff:	0000000000000000
    CapBnd:	ffffffe000000000

as far as my capability-noob eyes can see, the bounding set lacks CAP_CHOWN
and thus pt_chown won't attain CAP_CHOWN despite running on uid 0, and the
EPERM is triggered.

How could we fix it? Qemu invocation should be customized or virExec() adjusted?
Or is there some configuration workaround?

(For the record, I've seen it on Arch Linux; tried their binary package and also
my own builds, which included a current git checkout.)

Thanks
Csaba

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]