[libvirt] [PATCH] Add '+' to uid/gid printing for label processing
To ensure proper processing by virGetUserID() and virGetGroupID() of a uid/gid add a "+" prior to the uid/gid to denote it's really a uid/gid for the label. Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/security/security_dac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 019c789..cb7d322 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -60,7 +60,7 @@ virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr, priv->user = user; priv->group = group; - if (virAsprintf(&priv->baselabel, "%u:%u", + if (virAsprintf(&priv->baselabel, "+%u:+%u", (unsigned int) user, (unsigned int) group) < 0) return -1; @@ -1064,7 +1064,7 @@ virSecurityDACGenLabel(virSecurityManagerPtr mgr, } break; case VIR_DOMAIN_SECLABEL_DYNAMIC: - if (virAsprintf(&seclabel->label, "%u:%u", + if (virAsprintf(&seclabel->label, "+%u:+%u", (unsigned int) priv->user, (unsigned int) priv->group) < 0) return rc; -- 1.8.3.1
On 10/29/2013 12:52 PM, John Ferlan wrote:
To ensure proper processing by virGetUserID() and virGetGroupID() of a uid/gid add a "+" prior to the uid/gid to denote it's really a uid/gid for the label.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/security/security_dac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
ACK. Although unlikely, it is possible to have a system with a username that is purely digits, and where those digits don't match the underlying uid, so it is indeed nice that when we know we have a uid that we force the parser to skip a name lookup (which harmlessly fails on 99.99% of the systems, but which could potentially get wrong credentials on the rare system with odd usernames). Worth including in 1.1.4.
diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 019c789..cb7d322 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -60,7 +60,7 @@ virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr, priv->user = user; priv->group = group;
- if (virAsprintf(&priv->baselabel, "%u:%u", + if (virAsprintf(&priv->baselabel, "+%u:+%u", (unsigned int) user, (unsigned int) group) < 0) return -1; @@ -1064,7 +1064,7 @@ virSecurityDACGenLabel(virSecurityManagerPtr mgr, } break; case VIR_DOMAIN_SECLABEL_DYNAMIC: - if (virAsprintf(&seclabel->label, "%u:%u", + if (virAsprintf(&seclabel->label, "+%u:+%u", (unsigned int) priv->user, (unsigned int) priv->group) < 0) return rc;
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 10/29/2013 04:13 PM, Eric Blake wrote:
On 10/29/2013 12:52 PM, John Ferlan wrote:
To ensure proper processing by virGetUserID() and virGetGroupID() of a uid/gid add a "+" prior to the uid/gid to denote it's really a uid/gid for the label.
Signed-off-by: John Ferlan <jferlan@redhat.com> --- src/security/security_dac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
ACK. Although unlikely, it is possible to have a system with a username that is purely digits, and where those digits don't match the underlying uid, so it is indeed nice that when we know we have a uid that we force the parser to skip a name lookup (which harmlessly fails on 99.99% of the systems, but which could potentially get wrong credentials on the rare system with odd usernames). Worth including in 1.1.4.
Thanks - this is now pushed. John It's also notable that without the patch, messages would be sent to /var/log/messages such as: Oct 19 10:13:21 myhost libvirtd[4055]: User record for user '1000' was not found: No such file or directory Oct 19 10:13:21 myhost libvirtd[4055]: Group record for user '1000' was not found: No such file or directory
participants (2)
-
Eric Blake -
John Ferlan