Re: [libvirt] [PATCH] spec: Restrict virt-login-shell usage
On Fri, Nov 22, 2013 at 02:57:36PM +0100, Jiri Denemark wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=1033614
As virt-login-shell is an SUID binary, we should restrict its usage to
just the users chosen by an administrator to use virt-login-shell as
their login shell. This can easily be done by making the binary
executable only by users from a new virtlogin group.
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
libvirt.spec.in | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index a5b01df..864fbf4 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1727,6 +1727,12 @@ if getent group sanlock > /dev/null ; then
fi
%endif
+%if %{with_lxc}
+%pre login-shell
+getent group virtlogin >/dev/null || groupadd -r virtlogin
+exit 0
+%endif
+
%files
%defattr(-, root, root)
@@ -2072,7 +2078,7 @@ fi
%if %{with_lxc}
%files login-shell
-%attr(4755, root, root) %{_bindir}/virt-login-shell
+%attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
%{_mandir}/man1/virt-login-shell.1*
%endif
ACK
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|