[libvirt] [PATCH] [RFC] virSetUIDGID: Don't leak supplementary groups
Daniel P. Berrange
berrange at redhat.com
Wed Nov 18 11:41:37 UTC 2015
On Tue, Jun 23, 2015 at 01:48:42PM +0200, Richard Weinberger wrote:
> The LXC driver uses virSetUIDGID() to become UID/GID 0.
> It passes an empty groups list to virSetUIDGID()
> to get rid of all supplementary groups from the host side.
> But virSetUIDGID() calls setgroups() only if the supplied list
> is larger than 0.
> This leads to a container root with unrelated supplementary groups.
> In most cases this issue is unoticed as libvirtd runs as UID/GID 0
> without any supplementary groups.
>
> Signed-off-by: Richard Weinberger <richard at nod.at>
> ---
> I've marked that patch as RFC as I'm not sure if all users of virSetUIDGID()
> expect this behavior too.
>
> Thanks,
> //richard
> ---
> src/util/virutil.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/util/virutil.c b/src/util/virutil.c
> index cddc78a..ea697a3 100644
> --- a/src/util/virutil.c
> +++ b/src/util/virutil.c
> @@ -1103,7 +1103,7 @@ virSetUIDGID(uid_t uid, gid_t gid, gid_t *groups ATTRIBUTE_UNUSED,
> }
>
> # if HAVE_SETGROUPS
> - if (ngroups && setgroups(ngroups, groups) < 0) {
> + if (setgroups(ngroups, groups) < 0) {
After running unit tests I see this causes a failure in virCommand.
We were using 'ngroups != NULL' as a crude check to skip setgroups()
when unprivileged.
The better way to check this is by doing 'gid != (gid_t_-1' as we
use on the line above which calls setgid(). So I'll push this instead:
- if (ngroups && setgroups(ngroups, groups) < 0) {
+ if (gid != (gid_t)-1 && setgroups(ngroups, groups) < 0) {
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list