[libvirt] [PATCH] Solaris least privilege support

Daniel Veillard veillard at redhat.com
Fri Jan 16 07:35:16 UTC 2009


On Thu, Jan 15, 2009 at 09:19:39AM -0800, john.levon at sun.com wrote:
> # HG changeset patch
> # User john.levon at sun.com
> # Date 1232039546 28800
> # Node ID b9d4d60bca87633897cb133461e1415d1223c823
> # Parent  25a0c46588d5de1653b16dfed6bc357abf11db77
> Solaris least privilege support
> 
> On Solaris dom0, virtd runs as a privilege barrier: all libvirt
> connections are routed through it, and it performs the relevant
> privilege checks for any clients.

  This looks fine to me except that chunk:

> @@ -2417,6 +2493,20 @@ int main(int argc, char **argv) {
>      sig_action.sa_handler = SIG_IGN;
>      sigaction(SIGPIPE, &sig_action, NULL);
>  
> +    /* Change the group ownership of /var/run/libvirt to unix_sock_gid */
> +    if (geteuid () == 0) {
> +        const char *rundir = LOCAL_STATE_DIR "/run/libvirt";
> +
> +        if (mkdir (rundir, 0755)) {
> +            if (errno != EEXIST) {
> +                VIR_ERROR0 (_("unable to create rundir"));
> +                return (-1);
> +            }
> +        }
> +    }
> +
> +    qemudSetupPrivs(server);
> +

  The comment and the code don't seems to match, and it seems to me
that this code would fail except in the first time the daemon is
launched because mkdir /var/run/libvirt will return -1 and errno EEXIST
in all following cases. I'm worried about this,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel at veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/




More information about the libvir-list mailing list