[libvirt] [PATCH] util: Make failure to get suplementary group list for a uid non-fatal

Peter Krempa pkrempa at redhat.com
Tue Jun 7 16:09:10 UTC 2016 

On Tue, Jun 07, 2016 at 18:04:24 +0200, Peter Krempa wrote:
> Since introduction of the DAC security driver we've documented that
> seclabels with a leading + can be used with numerical uid. This would
> not work though with the rest of libvirt if the uid was not actually
> used in the system as we'd fail when trying to get a list of
> suplementary groups for the given uid. Since a uid without entry in
> /etc/passwd (or other user database) will not have any suppolementary
> groups we can treat the failure to obtain them as such.
> 
> This patch modifies virGetGroupList to not report the error of missing
> user and tweaks callers to treat the missing list as having 0
> supplementary groups.
> 
> The only place reporting errors is virt-login-shell as it's used to
> determine whether the given user is allowed to access the shell.
> ---
> With this I'm able to run the VM with any arbitrary UID/GID.
> 
> CC: Roy Keene <rkeene at knightpoint.com>
> CC: "Daniel P. Berrange" <berrange at redhat.com>
> 
>  src/security/security_dac.c | 12 +++++++-----
>  src/util/vircommand.c       |  4 +++-
>  src/util/virfile.c          | 28 ++++++++++++++++------------
>  src/util/virutil.c          | 25 ++++++++++++++++---------
>  tools/virt-login-shell.c    |  6 +++++-
>  5 files changed, 47 insertions(+), 28 deletions(-)

And my patch doesn't even compile ... 

> 
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 442ce70..e8af093 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -269,11 +269,13 @@ virSecurityDACPreFork(virSecurityManagerPtr mgr)
>      int ngroups;

Since I forgot to ammend nuking of the above local variable and a
missing comma.

Consider the followin squashed in:

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index e8af093..9dec201 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -266,7 +266,6 @@ static int
 virSecurityDACPreFork(virSecurityManagerPtr mgr)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
-    int ngroups;

     VIR_FREE(priv->groups);

diff --git a/tools/virt-login-shell.c b/tools/virt-login-shell.c
index b63bf6a..92a1651 100644
--- a/tools/virt-login-shell.c
+++ b/tools/virt-login-shell.c
@@ -251,7 +251,7 @@ main(int argc, char **argv)

     if ((ngroups = virGetGroupList(uid, gid, &groups)) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("failed to query supplementary group list for uid '%u'")
+                       _("failed to query supplementary group list for uid '%u'"),
                        (unsigned int) uid);
         goto cleanup;
     }

Peter

More information about the libvir-list mailing list