[libvirt] [PATCH 2/2] virt-login-shell joins users into lxc container.

Eric Blake eblake at redhat.com
Thu Jan 2 15:44:47 UTC 2014


On 01/02/2014 08:18 AM, Daniel J Walsh wrote:
> On 12/23/2013 05:44 PM, Eric Blake wrote:
>> On 12/23/2013 03:17 PM, Eric Blake wrote:
> 
>>>>> +    if (!(conf = virConfReadFile(login_shell_path, 0))) +	goto
>>>>> cleanup;
>>>>
>>>> ...and non-root invariably fails here, since login_shell_path 
>>>> (/etc/libvirt/virt-login-shell.conf) is buried inside a directory that 
>>>> is not searchable by either root or virtlogin.
>>>
>>> Ah, I see - non-root fails here if run unprivileged (such as under gdb), 
>>> but when run setuid it has the permissions of root and can read the file 
>>> just fine.
> 
> Maybe need to give it cap_dac_read_search?
> 
> /* Overrides all DAC restrictions regarding read and search on files
>    and directories, including ACL restrictions if [_POSIX_ACL] is
>    defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. */
> 
> #define CAP_DAC_READ_SEARCH  2

Nah, I was able to fix the issue without needing any more caps:
https://www.redhat.com/archives/libvir-list/2013-December/msg01243.html

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140102/d4d59563/attachment-0001.sig>


More information about the libvir-list mailing list