Re: [PATCH] spec: Restrict virt-login-shell usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 22, 2013 at 02:57:36PM +0100, Jiri Denemark wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1033614
> 
> As virt-login-shell is an SUID binary, we should restrict its usage to
> just the users chosen by an administrator to use virt-login-shell as
> their login shell. This can easily be done by making the binary
> executable only by users from a new virtlogin group.
> 
> Signed-off-by: Jiri Denemark <jdenemar@xxxxxxxxxx>
> ---
>  libvirt.spec.in | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index a5b01df..864fbf4 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -1727,6 +1727,12 @@ if getent group sanlock > /dev/null ; then
>  fi
>  %endif
>  
> +%if %{with_lxc}
> +%pre login-shell
> +getent group virtlogin >/dev/null || groupadd -r virtlogin
> +exit 0
> +%endif
> +
>  %files
>  %defattr(-, root, root)
>  
> @@ -2072,7 +2078,7 @@ fi
>  
>  %if %{with_lxc}
>  %files login-shell
> -%attr(4755, root, root) %{_bindir}/virt-login-shell
> +%attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
>  %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
>  %{_mandir}/man1/virt-login-shell.1*
>  %endif

ACK


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]