[libvirt] [PATCH] Solaris least privilege support
John Levon
john.levon at sun.com
Thu Jan 15 12:57:49 UTC 2009
On Thu, Jan 15, 2009 at 10:19:58AM +0000, Daniel P. Berrange wrote:
> > +#ifdef __sun
> > + {
> > + ucred_t *ucred = NULL;
> > + const priv_set_t *privs;
> > +
> > + if (getpeerucred (fd, &ucred) == -1 ||
> > + (privs = ucred_getprivset (ucred, PRIV_EFFECTIVE)) == NULL) {
> > + if (ucred != NULL)
> > + ucred_free (ucred);
> > + close (fd);
> > + return -1;
> > + }
> > +
> > + if (!priv_ismember (privs, PRIV_VIRT_MANAGE)) {
> > + ucred_free (ucred);
> > + close (fd);
> > + return -1;
> > + }
> > +
> > + ucred_free (ucred);
>
> Can move the ucred_free up before priv_ismember() call and thus
> avoid the need for the call in the cleanup path.
Nope, privs points into the ucred structure.
> Is the chmod of the socket really required for solaris ? We already
I'll double check these.
> Also, if this libvirtd is running as UID 60, so the chown really
> needed ? We also setgid before creating the socket so that it
> gets desired group ownership at time of creation, rather than
> having to change it post-create.
At this point in the code (I think) we're still root.
> This would appear to make it try to change the socket ownership
> and permissions, before we've actually created the socket, which
> is much later in the main() method where we call NetworkInit
Hmm, let me re-check.
> > +#ifdef __sun
> > + /*
> > + * On Solaris, all clients are forced to go via virtd. As a result,
> > + * virtd must indicate it really does want to connect to the
> > + * hypervisor.
> > + */
> > + name = "xen:///";
> > +#endif
>
> This should not be neccessary if the client end + drivers are
> correctly written.
Can you explain a bit more? Why don't we need to rewrite the URI as xen?
> If you want Xen to always go via the demon, the only change that should
> be required, is to make xenUnifiedOpen() return VIR_DRV_OPEN_DECLINED.
Hmm, yes you might be right. Let me experiment.
> > if (err == 0) {
> > - error (in_open ? NULL : conn,
> > - VIR_ERR_RPC, _("socket closed unexpectedly"));
> > + DEBUG("conn %p: socket closed unexpectedly", conn);
> > return -1;
> > }
> > }
>
> These two I/O methods here have been completely re-written in my
> thread patches. Why is removing the error messages required ?
If we try to connect w/o privilege, then the socket is closed straight
after accept() - so it's not longer an RPC error for this to happen.
> > + /*
> > + * If the connection over a socket failed abruptly, it's probably
> > + * due to not having the right privileges.
> > + */
> > + if (sigpipe)
> > + vshError(ctl, TRUE, _("failed to connect (insufficient privileges?)"));
> > +
>
> It will also be seen if the daemon drops the connection due to an
> OOM condition, or the max-clients limit being exceeded, so perhaps
> a little more detailed message.
Suggestions?
thanks
john
More information about the libvir-list
mailing list