[libvirt] using virSetUIDGID() with unprivileged qemu defeats setuid helper
Csaba Henk
chenk at redhat.com
Mon Mar 11 04:25:13 UTC 2013
Hi,
I recently experienced that my qemu guest (which I'm using with
unprivileged user) fails to start with:
error: internal error process exited while connecting to monitor: chardev: opening backend "pty" failed
This happens upon trying to facilitate the
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
stanzas, for which qemu wants to grab a pty through openpty(3).
openpty needs to have the assigned pty to be chown'd to the qemu
user, which is attempted via running the setuid helper program
pt_chown. However, chown(2) fails with EPERM.
The culprit seems to be the commits
v1.0.3-rc1~113: util: virSetUIDGIDWithCaps - change uid while keeping caps
v1.0.3-rc1~112: util: maintain caps when running command with uid != 0
which change how capabilities are manipulated before program execution.
Just immediately before the execve(2) call, the qemu process used to have
the following capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
since said commits, it looks like:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffe000000000
as far as my capability-noob eyes can see, the bounding set lacks CAP_CHOWN
and thus pt_chown won't attain CAP_CHOWN despite running on uid 0, and the
EPERM is triggered.
How could we fix it? Qemu invocation should be customized or virExec() adjusted?
Or is there some configuration workaround?
(For the record, I've seen it on Arch Linux; tried their binary package and also
my own builds, which included a current git checkout.)
Thanks
Csaba
More information about the libvir-list
mailing list