Re: [libvirt] [PATCH] Call initgroups for qemu's uid prior to exec

On 12/21/2010 01:45 PM, Laine Stump wrote: > This patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=664406 > > If qemu is run as a different uid, it has been unable to access mode > 0660 files that are owned by a different user, but with a group that > the qemu is a member of (aside from the one group listed in the passwd > file). initgroups will change the group membership of the process (and > its children) to match the new uid. > --- > src/qemu/qemu_security_dac.c | 27 +++++++++++++++++++++++++++ > 1 files changed, 27 insertions(+), 0 deletions(-) > > diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c > index 55dc0c6..2e60aec 100644 > --- a/src/qemu/qemu_security_dac.c > +++ b/src/qemu/qemu_security_dac.c > @@ -12,6 +12,8 @@ > #include<sys/types.h> > #include<sys/stat.h> > #include<fcntl.h> > +#include<pwd.h> > +#include<grp.h> > > #include "qemu_security_dac.h" > #include "qemu_conf.h" > @@ -558,6 +560,30 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, > } > } > if (driver->user) { > + struct passwd pwd, *pwd_result; > + char *buf = NULL; > + size_t bufsize = 16384; qemu_driver.c sets this to 1024*1024. Will that matter?

For that matter, can't you provide this functionality in a single .c file so that both qemudOpenAsUID and qemuSecurityDACSetProcessLabel can share the benefits of common code?

That refactoring probably deserves a v2.

> @@ -566,6 +592,7 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, > } > } > > + > return 0; Spurious whitespace change.