[libvirt] [libvirt-sandbox PATCH] Allow to switch to a specific user id

[Guido Günther]

Useful if you want to run programs as the same user than outside the
sandbox.
---
 bin/virt-sandbox.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
index 4c400d5..9495e85 100644
--- a/bin/virt-sandbox.c
+++ b/bin/virt-sandbox.c
@@ -24,6 +24,8 @@
 
 #include <libvirt-sandbox/libvirt-sandbox.h>
 #include <glib/gi18n.h>
+#include <sys/types.h>
+#include <pwd.h>
 
 static gboolean do_close(GVirSandboxConsole *con G_GNUC_UNUSED,
                          gboolean error G_GNUC_UNUSED,
@@ -92,6 +94,7 @@ int main(int argc, char **argv) {
     gchar *kernver = NULL;
     gchar *kernpath = NULL;
     gchar *kmodpath = NULL;
+    gchar *switchto = NULL;
     gboolean verbose = FALSE;
     gboolean debug = FALSE;
     gboolean shell = FALSE;
@@ -126,6 +129,8 @@ int main(int argc, char **argv) {
           N_("security properties"), "PATH", },
         { "privileged", 'p', 0, G_OPTION_ARG_NONE, &privileged,
           N_("run the command privileged"), NULL },
+        { "switchto", 'S', 0, G_OPTION_ARG_STRING, &switchto,
+          N_("swith to the given user"), "USER" },
         { "shell", 'l', 0, G_OPTION_ARG_NONE, &shell,
           N_("start a shell"), NULL, },
         { "kernver", 0, 0, G_OPTION_ARG_STRING, &kernver,
@@ -139,6 +144,7 @@ int main(int argc, char **argv) {
         { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL }
     };
     const char *help_msg = N_("Run 'virt-sandbox --help' to see a full list of available command line options");
+    struct passwd *pw;
 
     setlocale(LC_ALL, "");
     bindtextdomain(PACKAGE, LOCALEDIR);
@@ -198,10 +204,25 @@ int main(int argc, char **argv) {
     if (kmodpath)
         gvir_sandbox_config_set_kmodpath(cfg, kmodpath);
 
+    if (privileged && switchto) {
+        g_printerr(_("'switchto' and 'privileged' are incompatible options\n"));
+        goto cleanup;
+    }
+
     if (privileged) {
         gvir_sandbox_config_set_userid(cfg, 0);
         gvir_sandbox_config_set_groupid(cfg, 0);
         gvir_sandbox_config_set_username(cfg, "root");
+    } else if (switchto) {
+        pw = getpwnam(switchto);
+        if (!pw) {
+            g_printerr(_("Failed to resolve user %s\n"), switchto);
+            goto cleanup;
+        }
+        gvir_sandbox_config_set_userid(cfg, pw->pw_uid);
+        gvir_sandbox_config_set_groupid(cfg, pw->pw_gid);
+        gvir_sandbox_config_set_username(cfg, pw->pw_name);
+        gvir_sandbox_config_set_homedir(cfg, pw->pw_dir);
     }
 
     if (envs &&
@@ -541,6 +562,11 @@ to this path to locate the modules.
 Retain root privileges inside the sandbox, rather than dropping privileges
 to match the current user identity.
 
+=item B<-S USER>, B<--switchto=USER>
+
+Swith to the given user inside the sandbox and setup $HOME
+accordingly.
+
 =item B<-l>, B<--shell>
 
 Launch an interactive shell on a secondary console device
-- 
2.8.0.rc3