On 10/29/2013 12:52 PM, John Ferlan wrote: > To ensure proper processing by virGetUserID() and virGetGroupID() > of a uid/gid add a "+" prior to the uid/gid to denote it's really > a uid/gid for the label. > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > src/security/security_dac.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) ACK. Although unlikely, it is possible to have a system with a username that is purely digits, and where those digits don't match the underlying uid, so it is indeed nice that when we know we have a uid that we force the parser to skip a name lookup (which harmlessly fails on 99.99% of the systems, but which could potentially get wrong credentials on the rare system with odd usernames). Worth including in 1.1.4. > > diff --git a/src/security/security_dac.c b/src/security/security_dac.c > index 019c789..cb7d322 100644 > --- a/src/security/security_dac.c > +++ b/src/security/security_dac.c > @@ -60,7 +60,7 @@ virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr, > priv->user = user; > priv->group = group; > > - if (virAsprintf(&priv->baselabel, "%u:%u", > + if (virAsprintf(&priv->baselabel, "+%u:+%u", > (unsigned int) user, > (unsigned int) group) < 0) > return -1; > @@ -1064,7 +1064,7 @@ virSecurityDACGenLabel(virSecurityManagerPtr mgr, > } > break; > case VIR_DOMAIN_SECLABEL_DYNAMIC: > - if (virAsprintf(&seclabel->label, "%u:%u", > + if (virAsprintf(&seclabel->label, "+%u:+%u", > (unsigned int) priv->user, > (unsigned int) priv->group) < 0) > return rc; > -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list