Re: [libvirt] [PATCH 2/2] virt-login-shell joins users into lxc container.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/23/2013 05:44 PM, Eric Blake wrote:
On 12/23/2013 03:17 PM, Eric Blake wrote:
>>> + if (!(conf = virConfReadFile(login_shell_path, 0))) + goto
>>> cleanup;
>>
>> ...and non-root invariably fails here, since login_shell_path
>> (/etc/libvirt/virt-login-shell.conf) is buried inside a directory that
>> is not searchable by either root or virtlogin.
>
> Ah, I see - non-root fails here if run unprivileged (such as under gdb),
> but when run setuid it has the permissions of root and can read the file
> just fine.
Maybe need to give it cap_dac_read_search?
/* Overrides all DAC restrictions regarding read and search on files
and directories, including ACL restrictions if [_POSIX_ACL] is
defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
#define CAP_DAC_READ_SEARCH 2
Then again, when run as setuid, it's not even getting past
virInitialize().
:(
At least I managed to figure out how to debug things: I recompiled with a
sleep() at the beginning, gave my just-compiled binary the same setuid
permissions as the installed binary, and then attach gdb (as root, since
non-root can't ptrace a running setuid binary for obvious reasons). So I
suspect that the failure in virInitialize() is yet more fallout from the
CVE-2013-4400 patches being untested.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLFgzgACgkQrlYvE4MpobNyiACfRJWSEAnfiKooQS7ujZnkmAiq
+JIAoLmKB5nZl+Nj6QSHww870OOZJhK/
=4uBh
-----END PGP SIGNATURE-----