On Mon, Jun 20, 2016 at 08:10:10 -0400, John Ferlan wrote:
On 06/17/2016 09:44 AM, Peter Krempa wrote:
> Since introduction of the DAC security driver we've documented that
> seclabels with a leading + can be used with numerical uid. This would
> not work though with the rest of libvirt if the uid was not actually
> used in the system as we'd fail when trying to get a list of
> supplementary groups for the given uid. Since a uid without entry in
> /etc/passwd (or other user database) will not have any supplementary
> groups we can treat the failure to obtain them as such.
>
> This patch modifies virGetGroupList to not report the error for missing
> users and makes it return an empty list or just the group specified in
> @gid.
>
> All callers will grand less permissions in case of failure and thus this
> change is safe.
"grand less"? did you mean "gain less"?
I've explained it a bit more:
All callers will grant less permissions to a user in case of failure of
this function and thus this change is safe.
ACK series (just typed out loud below)
John
> ---
> src/util/virutil.c | 31 ++++++++++++++++---------------
> 1 file changed, 16 insertions(+), 15 deletions(-)
>
> diff --git a/src/util/virutil.c b/src/util/virutil.c
> index 392091b..60da17b 100644
> --- a/src/util/virutil.c
> +++ b/src/util/virutil.c
[...]
> + }
> }
Playing the "what if" game here. If for some reason uid == -1 OR
virGetUserEnt fails, then
gid - still to be determined
ret = 0
>
> if (gid != (gid_t)-1) {
>
If we enter this "if", then the for loop will exit immediately and the
VIR_APPEND_ELEMENT will append that gid onto *list which is IIRC what we
want. Then ret will be set to 1 (i) and we return. Otherwise if gid ==
-1, then we return 0, which is still fine.
Yep I wanted to achieve exactly this logic as it makes most sense IMO.
I've pushed this now. Thanks.
Peter