[libvirt] [PATCH] [RFC] virSetUIDGID: Don't leak supplementary groups
Martin Kletzander
mkletzan at redhat.com
Wed Nov 18 06:35:39 UTC 2015
On Tue, Nov 17, 2015 at 10:02:36PM +0100, Richard Weinberger wrote:
>On Wed, Jun 24, 2015 at 11:19 AM, Martin Kletzander <mkletzan at redhat.com> wrote:
>> On Tue, Jun 23, 2015 at 01:48:42PM +0200, Richard Weinberger wrote:
>>>
>>> The LXC driver uses virSetUIDGID() to become UID/GID 0.
>>> It passes an empty groups list to virSetUIDGID()
>>> to get rid of all supplementary groups from the host side.
>>> But virSetUIDGID() calls setgroups() only if the supplied list
>>> is larger than 0.
>>> This leads to a container root with unrelated supplementary groups.
>>> In most cases this issue is unoticed as libvirtd runs as UID/GID 0
>>> without any supplementary groups.
>>>
>>> Signed-off-by: Richard Weinberger <richard at nod.at>
>>> ---
>>> I've marked that patch as RFC as I'm not sure if all users of
>>> virSetUIDGID()
>>> expect this behavior too.
>>>
>>
>> I went through the callers and I see no reason why setgroups should
>> not be called. ACK. I also can't think of a use case in which we'd
>> like to keep the supplemental groups.
>
>Ping?
>
Oh, sorry, I didn't realize you don't have push access. Would you
happen to have these patches around somewhere? The originals got
archived automatically. If you send them to me, I'll push them, it
would be easier than me sucking it out of the ML archive (the same
applies for the other patch: "bind mount container TTYs").
Martin
>--
>Thanks,
>//richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20151118/d8249e52/attachment-0001.sig>
More information about the libvir-list
mailing list