On Fri, Nov 22, 2013 at 02:57:36PM +0100, Jiri Denemark wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1033614 > > As virt-login-shell is an SUID binary, we should restrict its usage to > just the users chosen by an administrator to use virt-login-shell as > their login shell. This can easily be done by making the binary > executable only by users from a new virtlogin group. > > Signed-off-by: Jiri Denemark <jdenemar@xxxxxxxxxx> > --- > libvirt.spec.in | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libvirt.spec.in b/libvirt.spec.in > index a5b01df..864fbf4 100644 > --- a/libvirt.spec.in > +++ b/libvirt.spec.in > @@ -1727,6 +1727,12 @@ if getent group sanlock > /dev/null ; then > fi > %endif > > +%if %{with_lxc} > +%pre login-shell > +getent group virtlogin >/dev/null || groupadd -r virtlogin > +exit 0 > +%endif > + > %files > %defattr(-, root, root) > > @@ -2072,7 +2078,7 @@ fi > > %if %{with_lxc} > %files login-shell > -%attr(4755, root, root) %{_bindir}/virt-login-shell > +%attr(4750, root, virtlogin) %{_bindir}/virt-login-shell > %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf > %{_mandir}/man1/virt-login-shell.1* > %endif ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list