[libvirt] [PATCH 2/5] util: allow using virCommandAllowCap with setuid helpers

[Paolo Bonzini]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Il 27/03/2013 23:46, Eric Blake ha scritto:
> That seems like a kernel flaw - it makes sense that you can't
> _add_ capabilities without CAP_SETPCAP, but being unable to _drop_ 
> capabilities without first acquiring a capability seems backwards.
> I wonder if lkml would accept a patch that makes CAP_SETPCAP
> unnecessary for the restriction case, and only require it for the
> case of gaining capabilities.

The worry here is that dropping _some_ caps but not all lets you
exploit untested error paths in suid binaries.

The solution could be to install libvirtd as suid-root and drop all
capabilities except CAP_SETPCAP when running unprivileged.
Alternatively, you could use file capabilities to the same effect.

Paolo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRcPGaAAoJEBvWZb6bTYbyYOQP/A8pZ1uDgwpeF23KMQdg2Rnl
5tt064KyjVs5NhQC8ntC1vulRQnEr0/qZt2NA7t4RiF3H2X9DVH5QmxMl6ELjxJI
/GjScuswYOP5cmdj1xHKAJdmEV76C5f5NDra1CSw9iooWOdvrYLBgEqIEEp89i2s
PKWN2GUbMesdFDgxf7mYaSqGYiIUI4UvON6bsPqJsuShyRvMsqffP+OQHbN7qNE3
O6TecxkpDFEnPJxOGKmemvLPDzTywPABaCJwozonB/xKzqWZ4w1EDB4czAlbhqVR
zxtbWXFKJmZ1D72wgyTLeXtstJJnnh6DG9eHxGRf04+jVRGtMk7kOgZ8FE+WrsZQ
VoAh8nAUI3kaZ9DfNPNuZ7Y7oT0venUWu5tCjnnO1hEMtFeSIfnP4h/BcV95wt+B
I7jYco0pxCkBvWrwEXGkgHxMr+LMDav6nxo2ES5ToJUUGUAH6J8yPF7XYzppJ92k
pFXueVMEIDgKZzRcuUyaaaDeZj8XQvGUN9I4s2x0CbRdQpOD+wdp0t10xoDXXeVw
1Sngs/yLptZqG5FY0g7Vt8Tnc21VrVShi2/dkacybjMCfHostQCzyLUfKR+4rQI1
oXvajO5lHpgnETLLdfo8Udjy90uWas09Hh940TKtA1dX6h8FVFyvplwm41HyMxnS
oHZNxdw01qc/OmpoGYuP
=Ob6t
-----END PGP SIGNATURE-----