Re: [libvirt] [PATCH] security_dac: compute supplemental groups before fork

15 Jul 2013


      On Fri, Jul 12, 2013 at 03:13:48PM -0600, Eric Blake wrote:
...
@@ -146,8 +149,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
     if (!mgr)
         return NULL;
-    virSecurityDACSetUser(mgr, user);
-    virSecurityDACSetGroup(mgr, group);
+    if ((ngroups = virGetGroupList(user, group, &groups)) < 0) {
+        virObjectUnref(mgr);
+        return NULL;
+    }
+
+    virSecurityDACSetUIDGID(mgr, user, group, groups, ngroups);
Hmm, the virSecurityManagerNewDAC method is run once at libvirtd startup.
Previously if you edited /etc/group to change a user's groups it would
take effect the very next time a VM is started. With this change, it will
only take effect if libvirtd is restarted, which is a regression in
behaviour.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

    

Daniel P. Berrange