On 02/07/2013 02:37 PM, Laine Stump wrote:
If a uid and/or gid is specified for a command, it will be set just after the user-supplied post-fork "hook" function is called.
The intent is that this can replace user hook functions that set uid/gid. This moves the setting of uid/gid and dropping of capabilities closer to each other, which is important since the two should really be done at the same time (libcapng provides a single function that does both, which we will be unable to use, but want to mimic as closely as possible). --- src/libvirt_private.syms | 2 ++ src/util/vircommand.c | 26 ++++++++++++++++++++++++++ src/util/vircommand.h | 6 +++++- 3 files changed, 33 insertions(+), 1 deletion(-)
+++ b/src/util/vircommand.c @@ -101,6 +101,8 @@ struct _virCommand { char *pidfile; bool reap;
+ uid_t uid; + gid_t gid; unsigned long long capabilities; };
@@ -605,6 +607,12 @@ virExec(virCommandPtr cmd) goto fork_error; }
+ if (cmd->uid > 0 || cmd->gid > 0) {
This says we can't explicitly request to run as uid 0. Wouldn't it be better to pre-initialize these two fields to (uid_t)-1 and (gid_t)-1 when the virCommandPtr is first allocated, and then check if they have been changed away from -1 here?
+ VIR_DEBUG("Setting child uid:gid to %u:%u", cmd->uid, cmd->gid);
Not portable to cygwin; you have to cast uid_t and gid_t to int before sending it through *printf (see src/util/virutil.c for examples). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org