On 07.06.2016 18:04, Peter Krempa wrote:
Since introduction of the DAC security driver we've documented that seclabels with a leading + can be used with numerical uid. This would not work though with the rest of libvirt if the uid was not actually used in the system as we'd fail when trying to get a list of suplementary groups for the given uid. Since a uid without entry in /etc/passwd (or other user database) will not have any suppolementary groups we can treat the failure to obtain them as such.
This patch modifies virGetGroupList to not report the error of missing user and tweaks callers to treat the missing list as having 0 supplementary groups.
The only place reporting errors is virt-login-shell as it's used to determine whether the given user is allowed to access the shell. --- With this I'm able to run the VM with any arbitrary UID/GID.
CC: Roy Keene <rkeene@knightpoint.com> CC: "Daniel P. Berrange" <berrange@redhat.com>
src/security/security_dac.c | 12 +++++++----- src/util/vircommand.c | 4 +++- src/util/virfile.c | 28 ++++++++++++++++------------ src/util/virutil.c | 25 ++++++++++++++++--------- tools/virt-login-shell.c | 6 +++++- 5 files changed, 47 insertions(+), 28 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 442ce70..e8af093 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -269,11 +269,13 @@ virSecurityDACPreFork(virSecurityManagerPtr mgr) int ngroups;
VIR_FREE(priv->groups); - priv->ngroups = 0; - if ((ngroups = virGetGroupList(priv->user, priv->group, - &priv->groups)) < 0) - return -1; - priv->ngroups = ngroups; + + /* ignore a possible problem in getting supplementary groups just assume + * we have none and continue with uid/gid only */ + if ((priv->ngroups = virGetGroupList(priv->user, priv->group, + &priv->groups)) < 0) + priv->ngroups = 0; +
This will ignore just any kinds of error. But I guess that we want anyway. ACK Michal