[libvirt-users] libvirt.so is not safe to use from setuid programs

Daniel P. Berrange berrange at redhat.com
Thu Feb 4 14:03:16 UTC 2016

On Thu, Feb 04, 2016 at 01:42:12PM +0000, Jean-Pierre Ribeauville wrote:
> Hi,
> When trying to connect the HyperVisor from a binary
> having  setuid bit set , then I got following error:
> Unable to perform virConnectOpenReadOnly function error(internal
> error: libvirt.so is not safe to use from setuid programs)
> My test software config is the following :
> -rwsr-xr-x. 1 root root 3374956 Feb  4 13:45 test
> As this test software needs S bit to be able to access O.S.
> metrics counters , how may I use it to retrieve  KVM metrics
> counters ?

You should re-write your app so that it does not need to have
the setuid be present for everything it does. Create a tiny
self-contained executable for *only* accessing OS metrics
counters, so that bit can run setuid, and the main bulk of
your app can run unprivileged.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvirt-users mailing list