[libvirt] [PATCH] Call initgroups for qemu's uid prior to exec

This patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=664406 If qemu is run as a different uid, it has been unable to access mode 0660 files that are owned by a different user, but with a group that the qemu is a member of (aside from the one group listed in the passwd file). initgroups will change the group membership of the process (and its children) to match the new uid. --- src/qemu/qemu_security_dac.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c index 55dc0c6..2e60aec 100644 --- a/src/qemu/qemu_security_dac.c +++ b/src/qemu/qemu_security_dac.c @@ -12,6 +12,8 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> +#include <pwd.h> +#include <grp.h> #include "qemu_security_dac.h" #include "qemu_conf.h" @@ -558,6 +560,30 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, } } if (driver->user) { + struct passwd pwd, *pwd_result; + char *buf = NULL; + size_t bufsize = 16384; + + if (VIR_ALLOC_N(buf, bufsize) < 0) { + virReportOOMError(); + return -1; + } + getpwuid_r(driver->user, &pwd, buf, bufsize, &pwd_result); + if (pwd_result == NULL) { + virReportSystemError(errno, + _("cannot getpwuid_r(%d)"), driver->user); + VIR_FREE(buf); + return -1; + } + if (initgroups(pwd.pw_name, pwd.pw_gid) != 0) { + virReportSystemError(errno, + _("cannot initgroups(\"%s\", %d)"), + pwd.pw_name, pwd.pw_gid); + VIR_FREE(buf); + return -1; + } + VIR_FREE(buf); + if (setreuid(driver->user, driver->user) < 0) { virReportSystemError(errno, _("cannot change to '%d' user"), @@ -566,6 +592,7 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, } } + return 0; } -- 1.7.3.4