[libvirt] [PATCH 2/2] virt-login-shell joins users into lxc container.
Eric Blake
eblake at redhat.com
Thu Jan 2 15:44:47 UTC 2014
On 01/02/2014 08:18 AM, Daniel J Walsh wrote:
> On 12/23/2013 05:44 PM, Eric Blake wrote:
>> On 12/23/2013 03:17 PM, Eric Blake wrote:
>
>>>>> + if (!(conf = virConfReadFile(login_shell_path, 0))) + goto
>>>>> cleanup;
>>>>
>>>> ...and non-root invariably fails here, since login_shell_path
>>>> (/etc/libvirt/virt-login-shell.conf) is buried inside a directory that
>>>> is not searchable by either root or virtlogin.
>>>
>>> Ah, I see - non-root fails here if run unprivileged (such as under gdb),
>>> but when run setuid it has the permissions of root and can read the file
>>> just fine.
>
> Maybe need to give it cap_dac_read_search?
>
> /* Overrides all DAC restrictions regarding read and search on files
> and directories, including ACL restrictions if [_POSIX_ACL] is
> defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
>
> #define CAP_DAC_READ_SEARCH 2
Nah, I was able to fix the issue without needing any more caps:
https://www.redhat.com/archives/libvir-list/2013-December/msg01243.html
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140102/d4d59563/attachment-0001.sig>
More information about the libvir-list
mailing list