Re: [libvirt] [PATCH] security_dac: compute supplemental groups before fork
On Fri, Jul 12, 2013 at 03:13:48PM -0600, Eric Blake wrote:
@@ -146,8 +149,12 @@ virSecurityManagerPtr
virSecurityManagerNewDAC(const char *virtDriver,
if (!mgr)
return NULL;
- virSecurityDACSetUser(mgr, user);
- virSecurityDACSetGroup(mgr, group);
+ if ((ngroups = virGetGroupList(user, group, &groups)) < 0) {
+ virObjectUnref(mgr);
+ return NULL;
+ }
+
+ virSecurityDACSetUIDGID(mgr, user, group, groups, ngroups);
Hmm, the virSecurityManagerNewDAC method is run once at libvirtd startup.
Previously if you edited /etc/group to change a user's groups it would
take effect the very next time a VM is started. With this change, it will
only take effect if libvirtd is restarted, which is a regression in
behaviour.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|