https://bugzilla.redhat.com/show_bug.cgi?id=1033614 As virt-login-shell is an SUID binary, we should restrict its usage to just the users chosen by an administrator to use virt-login-shell as their login shell. This can easily be done by making the binary executable only by users from a new virtlogin group. Signed-off-by: Jiri Denemark <jdenemar@xxxxxxxxxx> --- libvirt.spec.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index a5b01df..864fbf4 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1727,6 +1727,12 @@ if getent group sanlock > /dev/null ; then fi %endif +%if %{with_lxc} +%pre login-shell +getent group virtlogin >/dev/null || groupadd -r virtlogin +exit 0 +%endif + %files %defattr(-, root, root) @@ -2072,7 +2078,7 @@ fi %if %{with_lxc} %files login-shell -%attr(4755, root, root) %{_bindir}/virt-login-shell +%attr(4750, root, virtlogin) %{_bindir}/virt-login-shell %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf %{_mandir}/man1/virt-login-shell.1* %endif -- 1.8.4.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list