[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] PATCH: Remove all getuid==0 checks from code



On Tue, Jun 02, 2009 at 08:29:47AM -0500, Serge E. Hallyn wrote:
> Quoting Daniel P. Berrange (berrange redhat com):
> > This patch is preparing the way for future work on allowing the libvirtd
> > daemon to run as a less-privileged user ID. The idea is that we will 
> > switch from 'root' to 'libvirtd', but use Linux capabilties to keep the
> > handful of higher privileges we need for our work. Thus any code which
> > does a check of 'getuid() == 0' is guarenteed to break [1].
> > 
> > The way this patch approaches this problem, is to change the driver
> > initialization function virStateInitialize() to have it be passed in a
> > 'int privileged' flag from the libvirtd daemon. Each driver is updated
> > to record this flag, and use it for checks where needed. The only real
> > exception is the Xen driver, where we simply check access(2) against
> > the file we need to open.
> 
> Hi Daniel,
> 
> just a few questions:
> 
> ...
> 
> > diff -r 5e3b5d1f91c2 qemud/qemud.c
> ...
> > @@ -2871,7 +2870,7 @@ int main(int argc, char **argv) {
> >      sigaction(SIGPIPE, &sig_action, NULL);
> > 
> >      /* Ensure the rundir exists (on tmpfs on some systems) */
> > -    if (geteuid () == 0) {
> > +    if (getuid() == 0) {
> 
> Why this change?

I removed that line originally. And then put it back wrong. Will
fix that.


> >      logmode = O_CREAT | O_WRONLY;
> > -    if (uid != 0)
> > +    /* Only logrotate files in /var/log, so only append if running privileged */
> > +    if (driver->privileged)
> > +        logmode |= O_APPEND;
> > +    else
> >          logmode |= O_TRUNC;
> > -    else
> > -        logmode |= O_APPEND;
> 
> Hmm, so if I run as unpriv user my logfiles will always be truncated?

Yeah, when running as privileged, logs are in /var/log where a logrotate
script takes care of them. With non-privileged, we truncate because we
don't want them to grow without bound forever. Arguably we could make
this a config file option for the daemon...

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]