On 01/02/2014 08:18 AM, Daniel J Walsh wrote: > On 12/23/2013 05:44 PM, Eric Blake wrote: >> On 12/23/2013 03:17 PM, Eric Blake wrote: > >>>>> + if (!(conf = virConfReadFile(login_shell_path, 0))) + goto >>>>> cleanup; >>>> >>>> ...and non-root invariably fails here, since login_shell_path >>>> (/etc/libvirt/virt-login-shell.conf) is buried inside a directory that >>>> is not searchable by either root or virtlogin. >>> >>> Ah, I see - non-root fails here if run unprivileged (such as under gdb), >>> but when run setuid it has the permissions of root and can read the file >>> just fine. > > Maybe need to give it cap_dac_read_search? > > /* Overrides all DAC restrictions regarding read and search on files > and directories, including ACL restrictions if [_POSIX_ACL] is > defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */ > > #define CAP_DAC_READ_SEARCH 2 Nah, I was able to fix the issue without needing any more caps: https://www.redhat.com/archives/libvir-list/2013-December/msg01243.html -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list