On 07/15/2013 06:14 AM, Daniel P. Berrange wrote:
> On Fri, Jul 12, 2013 at 03:13:48PM -0600, Eric Blake wrote:
>> @@ -146,8 +149,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
>> if (!mgr)
>> return NULL;
>>
>> - virSecurityDACSetUser(mgr, user);
>> - virSecurityDACSetGroup(mgr, group);
>> + if ((ngroups = virGetGroupList(user, group, &groups)) < 0) {
>> + virObjectUnref(mgr);
>> + return NULL;
>> + }
>> +
>> + virSecurityDACSetUIDGID(mgr, user, group, groups, ngroups);
>
> Hmm, the virSecurityManagerNewDAC method is run once at libvirtd startup.
> Previously if you edited /etc/group to change a user's groups it would
> take effect the very next time a VM is started. With this change, it will
> only take effect if libvirtd is restarted, which is a regression in
> behaviour.
But we still want to avoid the deadlock possible when probing the group
database between fork and exec. I guess that means I need to change
virSecurityManagerPreFork() to be the entry point where we probe
supplemental groups, so that the probe is done as late as possible
before the fork (and thus picks up the latest /etc changes). I'll try
that for a v2.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list