[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [libvirt-sandbox PATCH] Allow to switch to a specific user id



On Tue, Mar 22, 2016 at 08:46:18AM +0100, Guido Günther wrote:
> Useful if you want to run programs as the same user than outside the
> sandbox.
> ---
>  bin/virt-sandbox.c | 26 ++++++++++++++++++++++++++
>  1 file changed, 26 insertions(+)
> 
> diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
> index 4c400d5..9495e85 100644
> --- a/bin/virt-sandbox.c
> +++ b/bin/virt-sandbox.c
> @@ -24,6 +24,8 @@
>  
>  #include <libvirt-sandbox/libvirt-sandbox.h>
>  #include <glib/gi18n.h>
> +#include <sys/types.h>
> +#include <pwd.h>
>  
>  static gboolean do_close(GVirSandboxConsole *con G_GNUC_UNUSED,
>                           gboolean error G_GNUC_UNUSED,
> @@ -92,6 +94,7 @@ int main(int argc, char **argv) {
>      gchar *kernver = NULL;
>      gchar *kernpath = NULL;
>      gchar *kmodpath = NULL;
> +    gchar *switchto = NULL;
>      gboolean verbose = FALSE;
>      gboolean debug = FALSE;
>      gboolean shell = FALSE;
> @@ -126,6 +129,8 @@ int main(int argc, char **argv) {
>            N_("security properties"), "PATH", },
>          { "privileged", 'p', 0, G_OPTION_ARG_NONE, &privileged,
>            N_("run the command privileged"), NULL },
> +        { "switchto", 'S', 0, G_OPTION_ARG_STRING, &switchto,
> +          N_("swith to the given user"), "USER" },
>          { "shell", 'l', 0, G_OPTION_ARG_NONE, &shell,
>            N_("start a shell"), NULL, },
>          { "kernver", 0, 0, G_OPTION_ARG_STRING, &kernver,
> @@ -139,6 +144,7 @@ int main(int argc, char **argv) {
>          { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL }
>      };
>      const char *help_msg = N_("Run 'virt-sandbox --help' to see a full list of available command line options");
> +    struct passwd *pw;
>  
>      setlocale(LC_ALL, "");
>      bindtextdomain(PACKAGE, LOCALEDIR);
> @@ -198,10 +204,25 @@ int main(int argc, char **argv) {
>      if (kmodpath)
>          gvir_sandbox_config_set_kmodpath(cfg, kmodpath);
>  
> +    if (privileged && switchto) {
> +        g_printerr(_("'switchto' and 'privileged' are incompatible options\n"));
> +        goto cleanup;
> +    }
> +
>      if (privileged) {
>          gvir_sandbox_config_set_userid(cfg, 0);
>          gvir_sandbox_config_set_groupid(cfg, 0);
>          gvir_sandbox_config_set_username(cfg, "root");
> +    } else if (switchto) {
> +        pw = getpwnam(switchto);
> +        if (!pw) {
> +            g_printerr(_("Failed to resolve user %s\n"), switchto);
> +            goto cleanup;
> +        }
> +        gvir_sandbox_config_set_userid(cfg, pw->pw_uid);
> +        gvir_sandbox_config_set_groupid(cfg, pw->pw_gid);
> +        gvir_sandbox_config_set_username(cfg, pw->pw_name);
> +        gvir_sandbox_config_set_homedir(cfg, pw->pw_dir);
>      }
>  
>      if (envs &&
> @@ -541,6 +562,11 @@ to this path to locate the modules.
>  Retain root privileges inside the sandbox, rather than dropping privileges
>  to match the current user identity.
>  
> +=item B<-S USER>, B<--switchto=USER>
> +
> +Swith to the given user inside the sandbox and setup $HOME
> +accordingly.
> +
>  =item B<-l>, B<--shell>
>  
>  Launch an interactive shell on a secondary console device

ACK


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]