Re: [libvirt] [PATCH] Call initgroups for qemu's uid prior to exec
On 12/21/2010 01:45 PM, Laine Stump wrote:
This patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=664406
If qemu is run as a different uid, it has been unable to access mode
0660 files that are owned by a different user, but with a group that
the qemu is a member of (aside from the one group listed in the passwd
file). initgroups will change the group membership of the process (and
its children) to match the new uid.
---
src/qemu/qemu_security_dac.c | 27 +++++++++++++++++++++++++++
1 files changed, 27 insertions(+), 0 deletions(-)
diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
index 55dc0c6..2e60aec 100644
--- a/src/qemu/qemu_security_dac.c
+++ b/src/qemu/qemu_security_dac.c
@@ -12,6 +12,8 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <pwd.h>
+#include <grp.h>
#include "qemu_security_dac.h"
#include "qemu_conf.h"
@@ -558,6 +560,30 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv
ATTRIBUTE_UNUSED,
}
}
if (driver->user) {
+ struct passwd pwd, *pwd_result;
+ char *buf = NULL;
+ size_t bufsize = 16384;
qemu_driver.c sets this to 1024*1024. Will that matter? For that
matter, can't you provide this functionality in a single .c file so that
both qemudOpenAsUID and qemuSecurityDACSetProcessLabel can share the
benefits of common code?
That refactoring probably deserves a v2.
@@ -566,6 +592,7 @@
qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
}
}
+
return 0;
Spurious whitespace change.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 619 bytes)