Re: [PATCH 2/2] virt-login-shell joins users into lxc container.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/30/2013 01:55 PM, dwalsh@xxxxxxxxxx wrote:
> From: Dan Walsh <dwalsh@xxxxxxxxxx>
> 
> Openshift wants to have their gears stuck into a container when they login
> to the system.  virt-login-shell will join a running gear with the username of
> the person running it, or attempt to start the container if it is not running.
> (Currently containers do not exist if they are not running, so I can not test
> this feature. But the code is there).
> 
> This tool needs to be setuid since joining a container (nsjoin) requires privs.
> The root user is not allowed to execute this command. When this tool is
> run by a normal user it will only join the "users" container.
> 
> Only users who are listed as valid_users in /etc/libvirt/virt-login-shell.conf
> are allowed to join containers using this tool. By default no users are allowed.

Problem.  This is how things get installed:

# ls -ld /etc/libvirt/ /etc/libvirt/virt-login-shell.conf
/bin/virt-login-shell
-rwsr-x---. 1 root virtlogin 891744 Dec  4 01:37 /bin/virt-login-shell
drwx------. 6 root root        4096 Dec 23 13:22 /etc/libvirt/
-rw-r--r--. 1 root root        1244 Dec 23 13:22
/etc/libvirt/virt-login-shell.conf

But looking at main():

> +
> +    if (uid == 0) {
> +	virReportSystemError(EPERM, _("%s must be run by non root users"), progname);
> +
> +	errno = EPERM;
> +	goto cleanup;
> +    }

So root cannot run this program...

> +
> +    if (!(conf = virConfReadFile(login_shell_path, 0)))
> +	goto cleanup;

...and non-root invariably fails here, since login_shell_path
(/etc/libvirt/virt-login-shell.conf) is buried inside a directory that
is not searchable by either root or virtlogin.

How on earth did you test this program?  It flat out doesn't work,
unless we change our installation permissions.  Never mind that we also
broke it while trying to fix CVE-2013-4400 - even with that damage
fixed, this shell is completely worthless out of the box for all
released versions of libvirt.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]