[libvirt] [PATCH] [RFC] virSetUIDGID: Don't leak supplementary groups
Martin Kletzander
mkletzan at redhat.com
Wed Jun 24 09:19:04 UTC 2015
On Tue, Jun 23, 2015 at 01:48:42PM +0200, Richard Weinberger wrote:
>The LXC driver uses virSetUIDGID() to become UID/GID 0.
>It passes an empty groups list to virSetUIDGID()
>to get rid of all supplementary groups from the host side.
>But virSetUIDGID() calls setgroups() only if the supplied list
>is larger than 0.
>This leads to a container root with unrelated supplementary groups.
>In most cases this issue is unoticed as libvirtd runs as UID/GID 0
>without any supplementary groups.
>
>Signed-off-by: Richard Weinberger <richard at nod.at>
>---
>I've marked that patch as RFC as I'm not sure if all users of virSetUIDGID()
>expect this behavior too.
>
I went through the callers and I see no reason why setgroups should
not be called. ACK. I also can't think of a use case in which we'd
like to keep the supplemental groups.
>Thanks,
>//richard
>---
> src/util/virutil.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/src/util/virutil.c b/src/util/virutil.c
>index cddc78a..ea697a3 100644
>--- a/src/util/virutil.c
>+++ b/src/util/virutil.c
>@@ -1103,7 +1103,7 @@ virSetUIDGID(uid_t uid, gid_t gid, gid_t *groups ATTRIBUTE_UNUSED,
> }
>
> # if HAVE_SETGROUPS
>- if (ngroups && setgroups(ngroups, groups) < 0) {
>+ if (setgroups(ngroups, groups) < 0) {
> virReportSystemError(errno, "%s",
> _("cannot set supplemental groups"));
> return -1;
>--
>2.4.2
>
>--
>libvir-list mailing list
>libvir-list at redhat.com
>https://www.redhat.com/mailman/listinfo/libvir-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150624/152f8a6e/attachment-0001.sig>
More information about the libvir-list
mailing list