On 10/29/2013 04:13 PM, Eric Blake wrote: > On 10/29/2013 12:52 PM, John Ferlan wrote: >> To ensure proper processing by virGetUserID() and virGetGroupID() >> of a uid/gid add a "+" prior to the uid/gid to denote it's really >> a uid/gid for the label. >> >> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> >> --- >> src/security/security_dac.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) > > ACK. Although unlikely, it is possible to have a system with a username > that is purely digits, and where those digits don't match the underlying > uid, so it is indeed nice that when we know we have a uid that we force > the parser to skip a name lookup (which harmlessly fails on 99.99% of > the systems, but which could potentially get wrong credentials on the > rare system with odd usernames). Worth including in 1.1.4. > Thanks - this is now pushed. John It's also notable that without the patch, messages would be sent to /var/log/messages such as: Oct 19 10:13:21 myhost libvirtd[4055]: User record for user '1000' was not found: No such file or directory Oct 19 10:13:21 myhost libvirtd[4055]: Group record for user '1000' was not found: No such file or directory -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list