[libvirt] Fwd: libvirtd failing on MacOS in setgroups
Daniel P. Berrangé
berrange at redhat.com
Mon Sep 30 12:16:10 UTC 2019
On Mon, Sep 30, 2019 at 02:06:07PM +0200, Bruno Haible wrote:
> Daniel P. Berrangé wrote:
> > > > FWIW I compiled libvirt without the setgroups code on Mac and it
> > > > worked as expected. Not sure what the implications of that are though?
> > >
> > > OK, then the fix would be to not use setgroups on Mac, and nothing to do
> > > in gnulib. Right?
> >
> > Not calling setgroups means the QEMU process doesn't run with any of
> > the supplementary groups associated with its user account, so this is
> > not really a working solution. It re-introduces the bug that the
> > setgroups call was added to fix.
>
> For what purpose is libvirt or QEMU using setgroups()? What goes wrong if
> setgroups() fails?
QEMU potentially needs access to files owned by a supplementary group.
On Linux for example, /dev/kvm is often owned by 'kvm' group, but the
'qemu' user on Fedora has 'qemu' group as its primary group. So QEMU
would be unable to open /dev/kvm without the setgroups call to set up
supplementary groups.
> The problem is that the Darwin kernel does not support setting more than
> NGROUPS_MAX (= 16) groups. So
> - What happens when you have a user account which is in more than 16
> groups? What do other processes do in this sitation?
Samba appears to use initgroups on Darwin, while clamping to 16 groups
only:
https://github.com/samba-team/samba/blob/v4-11-stable/source3/smbd/sec_ctx.c#L248
> - Is using the first 16 groups and ignoring the extra ones an acceptable
> solution?
Certainly that's better than just ignoring groups entirely, as it will
work for many more cases, even if not perfect.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list