[libvirt] [PATCH] Call initgroups for qemu's uid prior to exec
Laine Stump
laine at laine.org
Tue Dec 21 20:45:55 UTC 2010
This patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=664406
If qemu is run as a different uid, it has been unable to access mode
0660 files that are owned by a different user, but with a group that
the qemu is a member of (aside from the one group listed in the passwd
file). initgroups will change the group membership of the process (and
its children) to match the new uid.
---
src/qemu/qemu_security_dac.c | 27 +++++++++++++++++++++++++++
1 files changed, 27 insertions(+), 0 deletions(-)
diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
index 55dc0c6..2e60aec 100644
--- a/src/qemu/qemu_security_dac.c
+++ b/src/qemu/qemu_security_dac.c
@@ -12,6 +12,8 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <pwd.h>
+#include <grp.h>
#include "qemu_security_dac.h"
#include "qemu_conf.h"
@@ -558,6 +560,30 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
}
}
if (driver->user) {
+ struct passwd pwd, *pwd_result;
+ char *buf = NULL;
+ size_t bufsize = 16384;
+
+ if (VIR_ALLOC_N(buf, bufsize) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ getpwuid_r(driver->user, &pwd, buf, bufsize, &pwd_result);
+ if (pwd_result == NULL) {
+ virReportSystemError(errno,
+ _("cannot getpwuid_r(%d)"), driver->user);
+ VIR_FREE(buf);
+ return -1;
+ }
+ if (initgroups(pwd.pw_name, pwd.pw_gid) != 0) {
+ virReportSystemError(errno,
+ _("cannot initgroups(\"%s\", %d)"),
+ pwd.pw_name, pwd.pw_gid);
+ VIR_FREE(buf);
+ return -1;
+ }
+ VIR_FREE(buf);
+
if (setreuid(driver->user, driver->user) < 0) {
virReportSystemError(errno,
_("cannot change to '%d' user"),
@@ -566,6 +592,7 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
}
}
+
return 0;
}
--
1.7.3.4
More information about the libvir-list
mailing list