On 07/30/2013 01:55 PM, dwalsh@xxxxxxxxxx wrote: > From: Dan Walsh <dwalsh@xxxxxxxxxx> > > Openshift wants to have their gears stuck into a container when they login > to the system. virt-login-shell will join a running gear with the username of > the person running it, or attempt to start the container if it is not running. > (Currently containers do not exist if they are not running, so I can not test > this feature. But the code is there). > > This tool needs to be setuid since joining a container (nsjoin) requires privs. > The root user is not allowed to execute this command. When this tool is > run by a normal user it will only join the "users" container. > > Only users who are listed as valid_users in /etc/libvirt/virt-login-shell.conf > are allowed to join containers using this tool. By default no users are allowed. Problem. This is how things get installed: # ls -ld /etc/libvirt/ /etc/libvirt/virt-login-shell.conf /bin/virt-login-shell -rwsr-x---. 1 root virtlogin 891744 Dec 4 01:37 /bin/virt-login-shell drwx------. 6 root root 4096 Dec 23 13:22 /etc/libvirt/ -rw-r--r--. 1 root root 1244 Dec 23 13:22 /etc/libvirt/virt-login-shell.conf But looking at main(): > + > + if (uid == 0) { > + virReportSystemError(EPERM, _("%s must be run by non root users"), progname); > + > + errno = EPERM; > + goto cleanup; > + } So root cannot run this program... > + > + if (!(conf = virConfReadFile(login_shell_path, 0))) > + goto cleanup; ...and non-root invariably fails here, since login_shell_path (/etc/libvirt/virt-login-shell.conf) is buried inside a directory that is not searchable by either root or virtlogin. How on earth did you test this program? It flat out doesn't work, unless we change our installation permissions. Never mind that we also broke it while trying to fix CVE-2013-4400 - even with that damage fixed, this shell is completely worthless out of the box for all released versions of libvirt. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list