[libvirt] [PATCH] security: also parse user/group names instead of just IDs for DAC labels

Daniel P. Berrange berrange at redhat.com
Thu Sep 20 14:46:09 UTC 2012


On Thu, Sep 20, 2012 at 08:43:35AM -0600, Eric Blake wrote:
> On 09/20/2012 07:31 AM, Marcelo Cerri wrote:
> >>> possible ambiguities (since it is legal [although stupid] to have a user
> >>> name consisting of all digits and worse having the name differ from the
> >>> underlying uid),
> 
> >> The other option (that I prefer more) would be to document this
> >> behavior and leave it as proposed in this patch. Or maybe just
> >> reverse the order of resolving so that the numerical parsing is done
> >> before name parsing.
> >>
> >> If we warn the user, that specifying numerical values will result
> >> into using them as UID and GID and strings being translated we
> >> filter out the ambiguity by our design.
> >>
> >> I don't think it's worth spending this effort on such a weird corner case.
> > 
> > I agree with Peter here. These ambiguities will be very rare and a
> > well-documented behavior should be enough for this scenario. However
> > reversing the order still can lead to ambiguities, because it's never
> > possible to be sure if a sequence of digits is a username or not. But
> > again, we just need to make this point clear in docs.
> 
> The coreutils' solution in chown is that a name parse is attempted
> before numeric parse, and that a leading '+' (which is not valid in
> names) is the way to force a numeric parse.  If anything, we should copy
> that approach for consistency.
> 
> >>> except that what happens if I want to mix number and name between uid
> >>> and gid?
> >>>
> >>
> >> Mixing them will work in my approach presented here.
> 
> You still didn't answer my bigger question - when migrating, do we care
> about the case where the same user name has different uid on the two
> machines, and if so, do we make it possible for the user to choose
> between migrating with constant uid vs. migrating with constant name?
> If we always parse names into uids up front, then we are preventing the
> user from migration by name.

You can't migrate between different user IDs, because the target will
not be able to open the disk images - they will be labelled with the
user id of the source host and won't be changed.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list