[libvirt] [PATCH] security_dac: compute supplemental groups before fork
Daniel P. Berrange
berrange at redhat.com
Mon Jul 15 12:14:44 UTC 2013
On Fri, Jul 12, 2013 at 03:13:48PM -0600, Eric Blake wrote:
> @@ -146,8 +149,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
> if (!mgr)
> return NULL;
>
> - virSecurityDACSetUser(mgr, user);
> - virSecurityDACSetGroup(mgr, group);
> + if ((ngroups = virGetGroupList(user, group, &groups)) < 0) {
> + virObjectUnref(mgr);
> + return NULL;
> + }
> +
> + virSecurityDACSetUIDGID(mgr, user, group, groups, ngroups);
Hmm, the virSecurityManagerNewDAC method is run once at libvirtd startup.
Previously if you edited /etc/group to change a user's groups it would
take effect the very next time a VM is started. With this change, it will
only take effect if libvirtd is restarted, which is a regression in
behaviour.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list