[libvirt] [PATCH 2/3] util: virfile: Clarify setuid usage for virFileRemove

John Ferlan jferlan at redhat.com
Wed Mar 9 20:29:50 UTC 2016 


On 03/09/2016 12:38 PM, Cole Robinson wrote:
> Break these checks out into their own function, and clearly document
> each one. This shouldn't change behavior
> ---
>  src/util/virfile.c | 33 +++++++++++++++++++++++++++------
>  1 file changed, 27 insertions(+), 6 deletions(-)
> 
> diff --git a/src/util/virfile.c b/src/util/virfile.c
> index f45e18f..cea2674 100644
> --- a/src/util/virfile.c
> +++ b/src/util/virfile.c
> @@ -2314,6 +2314,32 @@ virFileOpenAs(const char *path, int openflags, mode_t mode,
>  }
>  
>  
> +/* virFileRemoveNeedsSetuid:
> + * @uid: file uid to check
> + * @gid: file gid to check
> + *
> + * Return true if we should use setuid/setgid before deleting a file
> + * owned by the passed uid/gid pair. Needed for NFS with root-squash
> + */
> +static bool
> +virFileRemoveNeedsSetuid(uid_t uid, gid_t gid)
> +{
> +    /* If running unprivileged, setuid isn't going to work */
> +    if (geteuid() != 0)
> +        return false;
> +
> +    /* uid/gid weren'd specified */

weren't

ACK - with the nit fixed... The rest is me typing out my thoughts...

John

> +    if ((uid == (uid_t) -1) && (gid == (gid_t) -1))
> +        return false;

This "should" only happen as failure path of
virStorageBackendCreateExecCommand when uid/gid not provided in the XML.
The virStorageBackendCreateRaw failure path expects creation to have
occurred where virFileOpenAs would have set the owner/mode due to the
operation_flags setting.

> +
> +    /* already running as proper uid/gid */
> +    if (uid == geteuid() && gid == getegid())
> +        return false;
> +

If the XML provided uid/gid and it's root - that's what we want

> +    return true;
> +}
> +
> +
>  /* virFileRemove:
>   * @path: file to unlink or directory to remove
>   * @uid: uid that was used to create the file (not required)
> @@ -2335,12 +2361,7 @@ virFileRemove(const char *path,
>      gid_t *groups;
>      int ngroups;
>  
> -    /* If not running as root or if a non explicit uid/gid was being used for
> -     * the file/volume or the explicit uid/gid matches, then use unlink directly
> -     */
> -    if ((geteuid() != 0) ||
> -        ((uid == (uid_t) -1) && (gid == (gid_t) -1)) ||
> -        (uid == geteuid() && gid == getegid())) {
> +    if (!virFileRemoveNeedsSetuid(uid, gid)) {
>          if (virFileIsDir(path))
>              return rmdir(path);
>          else
>

More information about the libvir-list mailing list