4:25 p.m.
I believe I have gotten all of Dan B comments implemented, with a couple of
changes.
1. I no longer allow root to execute the command.
2. Rather then allow the globbing syntax for allowed_users in the config, I
added the abiltiy to specify groups.
[PATCH] virt-login-shell joins users into lxc container.
4:25 p.m.
New subject: [libvirt] [PATCH] virt-login-shell joins users into lxc container.
From: Dan Walsh <dwalsh(a)redhat.com>
Openshift wants to have their gears stuck into a container when they login
to the system. virt-login-shell will join a running gear with the username of
the person running it, or attempt to start the container if it is not running.
(Currently containers do not exist if they are not running, so I can not test
this feature. But the code is there).
This tool needs to be setuid since joining a container (nsjoin) requires privs.
As root you should be able to join arbitrary containers, but when this tool is
run by a normal user it will only join the "users" container.
---
.gitignore | 1 +
libvirt.spec.in | 3 +
mingw-libvirt.spec.in | 5 +
po/POTFILES.in | 1 +
tools/Makefile.am | 33 ++++-
tools/virt-login-shell.c | 310 ++++++++++++++++++++++++++++++++++++++++++++
tools/virt-login-shell.conf | 24 ++++
tools/virt-login-shell.pod | 62 +++++++++
8 files changed, 438 insertions(+), 1 deletion(-)
create mode 100644 tools/virt-login-shell.c
create mode 100755 tools/virt-login-shell.conf
create mode 100644 tools/virt-login-shell.pod
diff --git a/.gitignore b/.gitignore
index 3efc2e4..dcb57bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -212,6 +212,7 @@
/tools/libvirt-guests.init
/tools/libvirt-guests.service
/tools/libvirt-guests.sh
+/tools/virt-login-shell
/tools/virsh
/tools/virsh-*-edit.c
/tools/virt-*-validate
diff --git a/libvirt.spec.in b/libvirt.spec.in
index e0e0004..34e3594 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1751,6 +1751,7 @@ fi
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
%endif
%if %{with_lxc}
+%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
%endif
@@ -1830,6 +1831,8 @@ fi
%if %{with_lxc}
%attr(0755, root, root) %{_libexecdir}/libvirt_lxc
+%attr(4755, root, root) %{_bindir}/virt-login-shell
+%{_mandir}/man1/virt-login-shell.1*
%endif
%if %{with_storage_disk}
diff --git a/mingw-libvirt.spec.in b/mingw-libvirt.spec.in
index aa39231..36c9481 100644
--- a/mingw-libvirt.spec.in
+++ b/mingw-libvirt.spec.in
@@ -185,9 +185,11 @@ rm -rf $RPM_BUILD_ROOT%{mingw64_libexecdir}/libvirt-guests.sh
%files -n mingw32-libvirt
%dir %{mingw32_sysconfdir}/libvirt/
%config(noreplace) %{mingw32_sysconfdir}/libvirt/libvirt.conf
+%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
%{mingw32_bindir}/libvirt-0.dll
%{mingw32_bindir}/virsh.exe
+%{mingw32_bindir}/virt-login-shell.exe
%{mingw32_bindir}/virt-xml-validate
%{mingw32_bindir}/virt-pki-validate
%{mingw32_bindir}/virt-host-validate.exe
@@ -236,6 +238,7 @@ rm -rf $RPM_BUILD_ROOT%{mingw64_libexecdir}/libvirt-guests.sh
%{mingw32_mandir}/man1/virt-xml-validate.1*
%{mingw32_mandir}/man1/virt-pki-validate.1*
%{mingw32_mandir}/man1/virt-host-validate.1*
+%{mingw32_mandir}/man1/virt-login-shell.1*
%files -n mingw32-libvirt-static
%{mingw32_libdir}/libvirt.a
@@ -246,9 +249,11 @@ rm -rf $RPM_BUILD_ROOT%{mingw64_libexecdir}/libvirt-guests.sh
%files -n mingw64-libvirt
%dir %{mingw64_sysconfdir}/libvirt/
%config(noreplace) %{mingw64_sysconfdir}/libvirt/libvirt.conf
+%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
%{mingw64_bindir}/libvirt-0.dll
%{mingw64_bindir}/virsh.exe
+%{mingw64_bindir}/virt-login-shell.exe
%{mingw64_bindir}/virt-xml-validate
%{mingw64_bindir}/virt-pki-validate
%{mingw64_bindir}/virt-host-validate.exe
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 1fd84af..884b70a 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -231,3 +231,4 @@ tools/virt-host-validate-common.c
tools/virt-host-validate-lxc.c
tools/virt-host-validate-qemu.c
tools/virt-host-validate.c
+tools/virt-login-shell.c
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 644a86d..b4bed0b 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -37,6 +37,7 @@ EXTRA_DIST = \
virt-pki-validate.in \
virt-sanlock-cleanup.in \
virt-sanlock-cleanup.8 \
+ virt-login-shell.pod \
virsh.pod \
libvirt-guests.sysconf \
virsh-edit.c \
@@ -52,8 +53,11 @@ EXTRA_DIST = \
DISTCLEANFILES =
+confdir = $(sysconfdir)/libvirt
+conf_DATA = virt-login-shell.conf
+
bin_SCRIPTS = virt-xml-validate virt-pki-validate
-bin_PROGRAMS = virsh virt-host-validate
+bin_PROGRAMS = virsh virt-host-validate virt-login-shell
libexec_SCRIPTS = libvirt-guests.sh
if WITH_SANLOCK
@@ -65,6 +69,7 @@ dist_man1_MANS = \
virt-host-validate.1 \
virt-pki-validate.1 \
virt-xml-validate.1 \
+ virt-login-shell.1 \
virsh.1
if WITH_SANLOCK
dist_man8_MANS = virt-sanlock-cleanup.8
@@ -128,6 +133,27 @@ virt_host_validate_CFLAGS = \
$(COVERAGE_CFLAGS) \
$(NULL)
+virt_login_shell_SOURCES = \
+ virt-login-shell.conf \
+ virt-login-shell.c
+
+virt_login_shell_LDFLAGS = $(COVERAGE_LDFLAGS)
+virt_login_shell_LDADD = \
+ $(STATIC_BINARIES) \
+ $(PIE_LDFLAGS) \
+ $(RELRO_LDFLAGS) \
+ ../src/libvirt.la \
+ ../src/libvirt-lxc.la \
+ ../gnulib/lib/libgnu.la \
+ $(LIBXML_LIBS)
+
+virt_login_shell_CFLAGS = \
+ $(WARN_CFLAGS) \
+ $(PIE_CFLAGS) \
+ $(COVERAGE_CFLAGS) \
+ $(LIBXML_CFLAGS) \
+ $(READLINE_CFLAGS)
+
virsh_SOURCES = \
console.c console.h \
virsh.c virsh.h \
@@ -189,6 +215,11 @@ virsh_win_icon.$(OBJEXT): virsh_win_icon.rc
--output-format coff --output $@
endif
+virt-login-shell.1: virt-login-shell.pod $(top_srcdir)/configure.ac
+ $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ \
+ && if grep 'POD ERROR' $(srcdir)/$@ ; then \
+ rm $(srcdir)/$@; exit 1; fi
+
virsh.1: virsh.pod $(top_srcdir)/configure.ac
$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ \
&& if grep 'POD ERROR' $(srcdir)/$@ ; then \
diff --git a/tools/virt-login-shell.c b/tools/virt-login-shell.c
new file mode 100644
index 0000000..2528199
--- /dev/null
+++ b/tools/virt-login-shell.c
@@ -0,0 +1,310 @@
+/*
+ * virt-login-shell.c: a shell to connect to a container
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Daniel Walsh <dwalsh(a)redhat.com>
+ */
+#include <config.h>
+#include "virconf.h"
+#include "virfile.h"
+#include "virprocess.h"
+#include "configmake.h"
+#include "virstring.h"
+#include "viralloc.h"
+#include "vircommand.h"
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+static int nfdlist = 0;
+static int *fdlist = NULL;
+
+static void virLoginShellFini(virConnectPtr conn, virDomainPtr dom) {
+ size_t i;
+ if (nfdlist > 0) {
+ for (i=0; i < nfdlist; i++)
+ VIR_FORCE_CLOSE(fdlist[i]);
+ VIR_FREE(fdlist);
+ nfdlist = 0;
+ }
+ if (dom)
+ virDomainFree(dom);
+ if (conn)
+ virConnectClose(conn);
+}
+
+static int virLoginShellAllowedUser(virConfPtr conf,
+ uid_t uid,
+ gid_t gid,
+ char *name) {
+ virConfValuePtr p;
+ int ret = 0;
+ char *ptr = NULL;
+ size_t i;
+ gid_t *groups = NULL;
+
+ p = virConfGetValue(conf, "allowed_users");
+ if (!p) {
+ errno = EPERM;
+ fprintf(stderr, _("%s is not allowed to connect a container: %m\n"),
name);
+ goto err;
+ }
+ if (p && p->type == VIR_CONF_LIST) {
+ size_t len;
+ virConfValuePtr pp;
+
+ /* Calc length and check items */
+ for (len = 0, pp = p->list; pp; len++, pp = pp->next) {
+ if (pp->type != VIR_CONF_STRING) {
+ fprintf(stderr, _("shell must be a list of strings"));
+ goto err;
+ } else {
+ if (STREQ(pp->str, "*") || STREQ(pp->str, name)) {
+ ret = 0;
+ goto cleanup;
+ }
+ if (pp->str[0] == '%') {
+ ptr=&pp->str[1];
+ gid_t groupid;
+ if (virGetGroupID(ptr, &groupid) < 0) {
+ fprintf(stderr, _("(%s) is not a valid group\n"),
ptr);
+ continue;
+ }
+ if (virGetGroupList(uid, gid, &groups) < 0)
+ goto err;
+ for (i=0; groups[i]; i++) {
+ if (groups[i] == groupid) {
+ ret = 0;
+ goto cleanup;
+ }
+ }
+ }
+ }
+ }
+ }
+ errno = EPERM;
+ fprintf(stderr, _("%s is not allowed to connect a container: %m\n"),
name);
+err:
+ ret = -1;
+cleanup:
+ VIR_FREE(groups);
+ return ret;
+}
+
+static char **virLoginShellGetShellArgv(virConfPtr conf) {
+ size_t i;
+ char **shargv;
+ virConfValuePtr p;
+ p = virConfGetValue(conf, "shell");
+ if (!p)
+ return virStringSplit("/bin/sh --login", " ", 3);
+
+ if (p && p->type == VIR_CONF_LIST) {
+ size_t len;
+ virConfValuePtr pp;
+
+ /* Calc length and check items */
+ for (len = 0, pp = p->list; pp; len++, pp = pp->next) {
+ if (pp->type != VIR_CONF_STRING) {
+ fprintf(stderr, _("shell must be a list of strings"));
+ goto err;
+ }
+ }
+
+ if (VIR_ALLOC_N(shargv, len + 1) < 0) {
+ fprintf(stderr, _("out of memory"));
+ goto err;
+ }
+ for (i = 0, pp = p->list; pp; i++, pp = pp->next) {
+ if (VIR_STRDUP(shargv[i], pp->str) < 0) {
+ fprintf(stderr, _("out of memory"));
+ goto err;
+ }
+ }
+ shargv[len] = NULL;
+ }
+ return shargv;
+err:
+ virStringFreeList(shargv);
+ return NULL;
+}
+
+int
+main(int argc, char **argv) {
+ virConfPtr conf = NULL;
+ const char *login_shell_path = SYSCONFDIR
"/libvirt/virt-login-shell.conf";
+ pid_t cpid;
+ int ret = EXIT_FAILURE;
+ int status;
+ int status2;
+ uid_t uid = getuid();
+ gid_t gid = getgid();
+ char *name;
+ char **shargv = NULL;
+ virSecurityModelPtr secmodel = NULL;
+ virSecurityLabelPtr seclabel = NULL;
+ virDomainPtr dom = NULL;
+ virConnectPtr conn = NULL;
+ if (!setlocale(LC_ALL, "")) {
+ perror("setlocale");
+ /* failure to setup locale is not fatal */
+ }
+ if (!bindtextdomain(PACKAGE, LOCALEDIR)) {
+ perror("bindtextdomain");
+ return EXIT_FAILURE;
+ }
+ if (!textdomain(PACKAGE)) {
+ perror("textdomain");
+ return EXIT_FAILURE;
+ }
+
+ if (uid == 0) {
+ errno = EPERM;
+ fprintf(stderr, _("%s must be run by non root users: %m\n"), argv[0]);
+ goto err;
+ }
+
+ if (argc > 1) {
+ errno = EINVAL;
+ fprintf(stderr, _("%s takes no options: %m\n"), argv[0]);
+ goto err;
+ }
+
+ name = virGetUserName(uid);
+
+ if (!(conf = virConfReadFile(login_shell_path, 0))) {
+ fprintf(stderr, _("Failed to read %s: %m\n"), login_shell_path);
+ goto err;
+ }
+ if (virLoginShellAllowedUser(conf, uid, gid, name) < 0)
+ goto err;
+
+ if (!(shargv = virLoginShellGetShellArgv(conf)))
+ goto err;
+
+ conn = virConnectOpen("lxc:///");
+ if (!conn) {
+ fprintf(stderr, _("Unable to connect to lxc:///: %m\n"));
+ goto err;
+ }
+
+ dom = virDomainLookupByName(conn, name);
+ if (!dom) {
+ fprintf(stderr, _("Container %s does not exist: %m\n"), name);
+ goto err;
+ }
+
+ if (! virDomainIsActive(dom) && virDomainCreate(dom)) {
+ virErrorPtr last_error;
+ last_error = virGetLastError();
+ if (last_error->code != VIR_ERR_OPERATION_INVALID) {
+ fprintf(stderr,_("Can't create %s container: %s\n"), name,
virGetLastErrorMessage());
+ goto err;
+ }
+ }
+
+ if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0) {
+ fprintf(stderr,_("Can't open %s namespace: %m\n"), name);
+ goto err;
+ }
+
+ if (VIR_ALLOC(secmodel) < 0) {
+ fprintf(stderr, _("Failed to allocate security model: %m\n"));
+ goto err;
+ }
+ if (VIR_ALLOC(seclabel) < 0) {
+ fprintf(stderr, _("Failed to allocate security label: %m\n"));
+ goto err;
+ }
+ if (virNodeGetSecurityModel(conn, secmodel) < 0)
+ goto err;
+ if (virDomainGetSecurityLabel(dom, seclabel) < 0)
+ goto err;
+
+ if (virFork(&cpid) < 0)
+ goto err;
+
+ if (cpid == 0) {
+ gid_t *groups = NULL;
+ int ngroups;
+ pid_t ccpid;
+
+ /* Fork once because we don't want to affect
+ * virt-login-shell's namespace itself
+ */
+ if (virSetUIDGID(0, 0, 0, 0) < 0) {
+ fprintf(stderr, _("Unable to setresuid: %m\n"));
+ return EXIT_FAILURE;
+ }
+
+ if (virDomainLxcEnterSecurityLabel(secmodel,
+ seclabel,
+ NULL,
+ 0) < 0)
+ return EXIT_FAILURE;
+
+ if (nfdlist > 0) {
+ if (virDomainLxcEnterNamespace(dom,
+ nfdlist,
+ fdlist,
+ NULL,
+ NULL,
+ 0) < 0)
+ return EXIT_FAILURE;
+ }
+
+ if ((ngroups = virGetGroupList(uid, gid, &groups)) < 0)
+ return -1;
+
+ ret = virSetUIDGIDWithCaps(uid, gid, groups, ngroups, 0, 0);
+ VIR_FREE(groups);
+ if (ret < 0)
+ return -1;
+
+ if (virFork(&ccpid) < 0)
+ return EXIT_FAILURE;
+
+ if (ccpid == 0) {
+ char *homedir = virGetUserDirectory();
+ if (chdir(homedir) < 0) {
+ fprintf(stderr, _("Unable chdir(%s): %m\n"), homedir);
+ return EXIT_FAILURE;
+ }
+ if (execv(shargv[0], (char *const*) shargv) < 0) {
+ fprintf(stderr, _("Unable exec shell %s: %m\n"), shargv[0]);
+ return EXIT_FAILURE;
+ }
+ }
+ return virProcessWait(ccpid, &status2);
+ }
+ ret = virProcessWait(cpid, &status);
+ goto cleanup;
+err:
+ ret = EXIT_FAILURE;
+cleanup:
+ virConfFree(conf);
+ virLoginShellFini(conn, dom);
+ virStringFreeList(shargv);
+ VIR_FREE(seclabel);
+ VIR_FREE(secmodel);
+ return ret;
+}
diff --git a/tools/virt-login-shell.conf b/tools/virt-login-shell.conf
new file mode 100755
index 0000000..107424a
--- /dev/null
+++ b/tools/virt-login-shell.conf
@@ -0,0 +1,24 @@
+# Master configuration file for the virt-login-shell program.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, virt-login-shell will connect you to a container running
+# with the /bin/sh program. Modify the shell variable if you want your
+# users to run a different shell or a setup containe when joining a
+# container. Shell commands must be a list of commands/options separated by
+# comma and delimited by square brackets. Defaults to: /bin/sh --login.
+# Modify and uncomment the following to modify the login shell.
+# shell = [ "/bin/sh", "--login" ]
+
+# allowed_users specifies the user name of all users that are allowed to execute
+# virt-login-shell. You can specify the users as a comma separated list of usernames.
+# The variable support glob syntaxt, if you specify no names
+# (default) then no one except root is allowed to use this executable.
+# to allow fred and joe only
+# allowed_users = ["fred", "joe"]
+# To allow all users within a specific group prefix the group name with %, etc
+# allowed_users = ["%engineers"]
+# to allow all users specify the following
+# allowed_users = [ "*" ]
+# disallow all users
+# allowed_users = []
diff --git a/tools/virt-login-shell.pod b/tools/virt-login-shell.pod
new file mode 100644
index 0000000..0f77155
--- /dev/null
+++ b/tools/virt-login-shell.pod
@@ -0,0 +1,62 @@
+=head1 NAME
+
+virt-login-shell - tool to execute a shell within a container matching the users name
+
+=head1 SYNOPSIS
+
+B<virt-login-shell>
+
+=head1 DESCRIPTION
+
+The B<virt-login-shell> program is setuid shell that is used to join
+an LXC container that matches the users name. If the container is not
+running virt-login-shell will attempt to start the container.
+virt-sandbox-shell is not allowed to be run by root. Normal users will get
+added to a container that matches their username, if it exists. And they are
+configured in /etc/libvirt/virt-login-shell.conf.
+
+The basic structure of most virt-login-shell usage is:
+
+ virt-login-shell
+
+=head1 CONFIG
+
+By default, virt-login-shell will execute the /bin/sh program for the user.
+You can modify this behaviour by defining the shell variable in
/etc/libvirt/virt-login-shell.conf.
+
+eg. shell = [ "/bin/ksh", "--login"]
+
+By default no users are allowed to user virt-login-shell, if you want to allow
+certain users to use virt-login-shell, you need to modify the allowed_users variable in
/etc/libvirt/virt-login-shell.conf.
+
+eg. allowed_users = [ "tom", "dick", "harry" ]
+
+=head1 BUGS
+
+Report any bugs discovered to the libvirt community via the mailing
+list C<http://libvirt.org/contact.html> or bug tracker
C<http://libvirt.org/bugs.html>;.
+Alternatively report bugs to your software distributor / vendor.
+
+=head1 AUTHORS
+
+ Please refer to the AUTHORS file distributed with libvirt.
+
+ Daniel Walsh <dwalsh at redhat dot com>
+
+=head1 COPYRIGHT
+
+Copyright (C) 2013 Red Hat, Inc., and the authors listed in the
+libvirt AUTHORS file.
+
+=head1 LICENSE
+
+virt-login-shell is distributed under the terms of the GNU LGPL v2+.
+This is free software; see the source for copying conditions. There
+is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
+PURPOSE
+
+=head1 SEE ALSO
+
+L<virsh(1)>, L<http://www.libvirt.org/>
+
+=cut
--
1.8.3.1
8:38 a.m.
New subject: [libvirt] [PATCH] virt-login-shell joins users into lxc container.
On Thu, Jul 18, 2013 at 05:25:56PM -0400, dwalsh(a)redhat.com wrote:
diff --git a/libvirt.spec.in b/libvirt.spec.in
index e0e0004..34e3594 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1751,6 +1751,7 @@ fi
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
%endif
%if %{with_lxc}
+%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
The Makefile.am for this is not conditional on WITH_LXC, so
you shoyuld have this outside the %{with_lxc} block.
%config(noreplace) %{_sysconfdir}/libvirt/lxc.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.lxc
%endif
@@ -1830,6 +1831,8 @@ fi
%if %{with_lxc}
%attr(0755, root, root) %{_libexecdir}/libvirt_lxc
+%attr(4755, root, root) %{_bindir}/virt-login-shell
+%{_mandir}/man1/virt-login-shell.1*
Same for these two.
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 644a86d..b4bed0b 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
+virt_login_shell_LDFLAGS = $(COVERAGE_LDFLAGS)
+virt_login_shell_LDADD = \
+ $(STATIC_BINARIES) \
+ $(PIE_LDFLAGS) \
+ $(RELRO_LDFLAGS) \
+ ../src/libvirt.la \
+ ../src/libvirt-lxc.la \
+ ../gnulib/lib/libgnu.la \
+ $(LIBXML_LIBS)
Can remove LIBXML_LIBS
+
+virt_login_shell_CFLAGS = \
+ $(WARN_CFLAGS) \
+ $(PIE_CFLAGS) \
+ $(COVERAGE_CFLAGS) \
+ $(LIBXML_CFLAGS) \
+ $(READLINE_CFLAGS)
Can remove LIBXML & READLINE here.
diff --git a/tools/virt-login-shell.c b/tools/virt-login-shell.c
new file mode 100644
index 0000000..2528199
--- /dev/null
+++ b/tools/virt-login-shell.c
@@ -0,0 +1,310 @@
+#include <selinux/selinux.h>
I don't think you need this, since all selinux stuff is hidden
inside libvirt APIs.
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+static int nfdlist = 0;
s/int/size_t/
+static int *fdlist = NULL;
+
+static void virLoginShellFini(virConnectPtr conn, virDomainPtr dom) {
+ size_t i;
+ if (nfdlist > 0) {
No need to have this if (nfdlist > 0) since the next for() condition
already handles that, and VIR_FREE(NULL) is safe.
+ for (i=0; i < nfdlist; i++)
+ VIR_FORCE_CLOSE(fdlist[i]);
+ VIR_FREE(fdlist);
+ nfdlist = 0;
+ }
+ if (dom)
+ virDomainFree(dom);
+ if (conn)
+ virConnectClose(conn);
+}
+
+static int virLoginShellAllowedUser(virConfPtr conf,
+ uid_t uid,
Some trailing whitespace at the end of the line - make syntax-check
will vcalidate this.
+ gid_t gid,
+ char *name) {
+ virConfValuePtr p;
+ int ret = 0;
Again, normal practice is to initialize 'ret = -1' - ie expect
failure
+ char *ptr = NULL;
+ size_t i;
+ gid_t *groups = NULL;
+
+ p = virConfGetValue(conf, "allowed_users");
+ if (!p) {
+ errno = EPERM;
+ fprintf(stderr, _("%s is not allowed to connect a container: %m\n"),
name);
+ goto err;
+ }
+ if (p && p->type == VIR_CONF_LIST) {
+ size_t len;
+ virConfValuePtr pp;
+
+ /* Calc length and check items */
+ for (len = 0, pp = p->list; pp; len++, pp = pp->next) {
+ if (pp->type != VIR_CONF_STRING) {
+ fprintf(stderr, _("shell must be a list of strings"));
+ goto err;
+ } else {
+ if (STREQ(pp->str, "*") || STREQ(pp->str, name)) {
+ ret = 0;
+ goto cleanup;
+ }
You don't wnat to be using STREQ for this. Instead us fnmatch()
which does proper glob matching.
+ if (pp->str[0] == '%') {
+ ptr=&pp->str[1];
+ gid_t groupid;
+ if (virGetGroupID(ptr, &groupid) < 0) {
+ fprintf(stderr, _("(%s) is not a valid group\n"),
ptr);
+ continue;
+ }
+ if (virGetGroupList(uid, gid, &groups) < 0)
+ goto err;
+ for (i=0; groups[i]; i++) {
+ if (groups[i] == groupid) {
+ ret = 0;
+ goto cleanup;
+ }
+ }
We want to have glob matching support on group names too, so you
can't just match on groupid. You'll need to turn the groupid into
a groupname, and then use fnmatch() again.
+ }
+ }
+ }
+ }
+ errno = EPERM;
+ fprintf(stderr, _("%s is not allowed to connect a container: %m\n"),
name);
+err:
You don't need this err: label if you initialize ret == -1;
+ ret = -1;
and change this to 'ret = 0'
+cleanup:
+ VIR_FREE(groups);
+ return ret;
+}
+
+static char **virLoginShellGetShellArgv(virConfPtr conf) {
+ size_t i;
+ char **shargv;
+ virConfValuePtr p;
+ p = virConfGetValue(conf, "shell");
+ if (!p)
+ return virStringSplit("/bin/sh --login", " ", 3);
+
+ if (p && p->type == VIR_CONF_LIST) {
+ size_t len;
+ virConfValuePtr pp;
+
+ /* Calc length and check items */
+ for (len = 0, pp = p->list; pp; len++, pp = pp->next) {
+ if (pp->type != VIR_CONF_STRING) {
+ fprintf(stderr, _("shell must be a list of strings"));
+ goto err;
+ }
+ }
+
+ if (VIR_ALLOC_N(shargv, len + 1) < 0) {
+ fprintf(stderr, _("out of memory"));
+ goto err;
+ }
+ for (i = 0, pp = p->list; pp; i++, pp = pp->next) {
+ if (VIR_STRDUP(shargv[i], pp->str) < 0) {
+ fprintf(stderr, _("out of memory"));
+ goto err;
+ }
+ }
+ shargv[len] = NULL;
+ }
+ return shargv;
+err:
s/err/error/
+ virStringFreeList(shargv);
+ return NULL;
+}
+
+int
+main(int argc, char **argv) {
+ virConfPtr conf = NULL;
+ const char *login_shell_path = SYSCONFDIR
"/libvirt/virt-login-shell.conf";
+ pid_t cpid;
+ int ret = EXIT_FAILURE;
+ int status;
+ int status2;
+ uid_t uid = getuid();
+ gid_t gid = getgid();
+ char *name;
+ char **shargv = NULL;
+ virSecurityModelPtr secmodel = NULL;
+ virSecurityLabelPtr seclabel = NULL;
+ virDomainPtr dom = NULL;
+ virConnectPtr conn = NULL;
+ if (!setlocale(LC_ALL, "")) {
+ perror("setlocale");
+ /* failure to setup locale is not fatal */
+ }
+ if (!bindtextdomain(PACKAGE, LOCALEDIR)) {
+ perror("bindtextdomain");
+ return EXIT_FAILURE;
+ }
+ if (!textdomain(PACKAGE)) {
+ perror("textdomain");
+ return EXIT_FAILURE;
+ }
+
+ if (uid == 0) {
+ errno = EPERM;
+ fprintf(stderr, _("%s must be run by non root users: %m\n"),
argv[0]);
+ goto err;
+ }
+
+ if (argc > 1) {
+ errno = EINVAL;
+ fprintf(stderr, _("%s takes no options: %m\n"), argv[0]);
+ goto err;
+ }
More trailing whitespace
+
+ name = virGetUserName(uid);
+
+ if (!(conf = virConfReadFile(login_shell_path, 0))) {
+ fprintf(stderr, _("Failed to read %s: %m\n"), login_shell_path);
+ goto err;
+ }
+ if (virLoginShellAllowedUser(conf, uid, gid, name) < 0)
+ goto err;
+
+ if (!(shargv = virLoginShellGetShellArgv(conf)))
+ goto err;
+
Trailing whitespace.
+ conn = virConnectOpen("lxc:///");
+ if (!conn) {
+ fprintf(stderr, _("Unable to connect to lxc:///: %m\n"));
+ goto err;
+ }
+
+ dom = virDomainLookupByName(conn, name);
+ if (!dom) {
+ fprintf(stderr, _("Container %s does not exist: %m\n"), name);
+ goto err;
+ }
+
+ if (! virDomainIsActive(dom) && virDomainCreate(dom)) {
+ virErrorPtr last_error;
+ last_error = virGetLastError();
+ if (last_error->code != VIR_ERR_OPERATION_INVALID) {
+ fprintf(stderr,_("Can't create %s container: %s\n"), name,
virGetLastErrorMessage());
+ goto err;
+ }
+ }
+
+ if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0) {
+ fprintf(stderr,_("Can't open %s namespace: %m\n"), name);
+ goto err;
+ }
+
+ if (VIR_ALLOC(secmodel) < 0) {
+ fprintf(stderr, _("Failed to allocate security model: %m\n"));
+ goto err;
+ }
+ if (VIR_ALLOC(seclabel) < 0) {
+ fprintf(stderr, _("Failed to allocate security label: %m\n"));
+ goto err;
+ }
+ if (virNodeGetSecurityModel(conn, secmodel) < 0)
+ goto err;
+ if (virDomainGetSecurityLabel(dom, seclabel) < 0)
+ goto err;
+
+ if (virFork(&cpid) < 0)
+ goto err;
+
+ if (cpid == 0) {
+ gid_t *groups = NULL;
+ int ngroups;
+ pid_t ccpid;
+
+ /* Fork once because we don't want to affect
+ * virt-login-shell's namespace itself
+ */
+ if (virSetUIDGID(0, 0, 0, 0) < 0) {
+ fprintf(stderr, _("Unable to setresuid: %m\n"));
+ return EXIT_FAILURE;
+ }
+
+ if (virDomainLxcEnterSecurityLabel(secmodel,
+ seclabel,
+ NULL,
+ 0) < 0)
+ return EXIT_FAILURE;
+
+ if (nfdlist > 0) {
+ if (virDomainLxcEnterNamespace(dom,
+ nfdlist,
+ fdlist,
+ NULL,
+ NULL,
+ 0) < 0)
+ return EXIT_FAILURE;
+ }
+
+ if ((ngroups = virGetGroupList(uid, gid, &groups)) < 0)
+ return -1;
+
+ ret = virSetUIDGIDWithCaps(uid, gid, groups, ngroups, 0, 0);
+ VIR_FREE(groups);
+ if (ret < 0)
+ return -1;
+
+ if (virFork(&ccpid) < 0)
+ return EXIT_FAILURE;
+
+ if (ccpid == 0) {
+ char *homedir = virGetUserDirectory();
You'll need to call virGetUserDirectory() before any fork(), since it
calls code which is not async-signal safe.
+ if (chdir(homedir) < 0) {
+ fprintf(stderr, _("Unable chdir(%s): %m\n"), homedir);
+ return EXIT_FAILURE;
+ }
+ if (execv(shargv[0], (char *const*) shargv) < 0) {
+ fprintf(stderr, _("Unable exec shell %s: %m\n"), shargv[0]);
+ return EXIT_FAILURE;
+ }
+ }
+ return virProcessWait(ccpid, &status2);
+ }
+ ret = virProcessWait(cpid, &status);
Hmm, looking at this again, I'm wondering you need to fork()
at all. In virsh we do the double-fork dance, because virsh
is an interactive shell & we don't want to affect other parts
of virsh.
This login shell though is different - its only job is to run
inside the namespace. So can't the main process just enter
the namespace directly ?
+ goto cleanup;
+err:
+ ret = EXIT_FAILURE;
You're pre-initializing ret to EXIT_FAILURE. So remove the
separate 'err' label and make everything jump to 'cleanup'
intead. Then just have a 'ret = EXIT_SUCCESS'
+cleanup:
+ virConfFree(conf);
+ virLoginShellFini(conn, dom);
+ virStringFreeList(shargv);
+ VIR_FREE(seclabel);
+ VIR_FREE(secmodel);
+ return ret;
+}
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4145
days inactive
4146
days old
2 comments
2 participants
participants (2)
-
Daniel P. Berrange -
dwalsh@redhat.com