On 01/02/2014 08:18 AM, Daniel J Walsh wrote:
On 12/23/2013 05:44 PM, Eric Blake wrote:
On 12/23/2013 03:17 PM, Eric Blake wrote:
+ if (!(conf = virConfReadFile(login_shell_path, 0))) + goto cleanup;
...and non-root invariably fails here, since login_shell_path (/etc/libvirt/virt-login-shell.conf) is buried inside a directory that is not searchable by either root or virtlogin.
Ah, I see - non-root fails here if run unprivileged (such as under gdb), but when run setuid it has the permissions of root and can read the file just fine.
Maybe need to give it cap_dac_read_search?
/* Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
#define CAP_DAC_READ_SEARCH 2
Nah, I was able to fix the issue without needing any more caps: https://www.redhat.com/archives/libvir-list/2013-December/msg01243.html -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org