[libvirt] [PATCH] [RFC] virSetUIDGID: Don't leak supplementary groups
Daniel P. Berrange
berrange at redhat.com
Wed Nov 18 11:36:15 UTC 2015
On Wed, Nov 18, 2015 at 07:35:39AM +0100, Martin Kletzander wrote:
> On Tue, Nov 17, 2015 at 10:02:36PM +0100, Richard Weinberger wrote:
> >On Wed, Jun 24, 2015 at 11:19 AM, Martin Kletzander <mkletzan at redhat.com> wrote:
> >>On Tue, Jun 23, 2015 at 01:48:42PM +0200, Richard Weinberger wrote:
> >>>
> >>>The LXC driver uses virSetUIDGID() to become UID/GID 0.
> >>>It passes an empty groups list to virSetUIDGID()
> >>>to get rid of all supplementary groups from the host side.
> >>>But virSetUIDGID() calls setgroups() only if the supplied list
> >>>is larger than 0.
> >>>This leads to a container root with unrelated supplementary groups.
> >>>In most cases this issue is unoticed as libvirtd runs as UID/GID 0
> >>>without any supplementary groups.
> >>>
> >>>Signed-off-by: Richard Weinberger <richard at nod.at>
> >>>---
> >>>I've marked that patch as RFC as I'm not sure if all users of
> >>>virSetUIDGID()
> >>>expect this behavior too.
> >>>
> >>
> >>I went through the callers and I see no reason why setgroups should
> >>not be called. ACK. I also can't think of a use case in which we'd
> >>like to keep the supplemental groups.
> >
> >Ping?
> >
>
> Oh, sorry, I didn't realize you don't have push access. Would you
> happen to have these patches around somewhere? The originals got
> archived automatically. If you send them to me, I'll push them, it
> would be easier than me sucking it out of the ML archive (the same
> applies for the other patch: "bind mount container TTYs").
Don't worry, I've pushed them all.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list