git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Laine Stump <laine@laine.org>
	Tue, 21 Dec 2010 20:34:41 +0000 (15:34 -0500)
committer	Laine Stump <laine@laine.org>
	Thu, 23 Dec 2010 21:48:37 +0000 (16:48 -0500)
commit	f42cf7cb7902196382a65e5316c974a5c2106401
tree	63aa0ba5ba58f581e450bab3ec4fd1c210df9b35	tree
parent	d596c6dc9b64ca0c910a87127de72ed2ef47b692	commit \| diff

Replace setuid/setgid/initgroups with virSetUIDGID()

This patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=664406

If qemu is run as a different uid, it has been unable to access mode
0660 files that are owned by a different user, but with a group that
the qemu is a member of (aside from the one group listed in the passwd
file), because initgroups() is not being called prior to the
exec. initgroups will change the group membership of the process (and
its children) to match the new uid.

To make this happen, the setregid()/setreuid() code in
qemuSecurityDACSetProcessLabel has been replaced with a call to
virSetUIDGID(), which does both of those, plus calls initgroups.

Similar, but not identical, code in qemudOpenAsUID() has been replaced
with virSetUIDGID(). This not only consolidates the functionality to a
single location, but also potentially fixes some as-yet unreported
bugs.

src/qemu/qemu_driver.c		diff \| blob \| blame \| history
src/qemu/qemu_security_dac.c		diff \| blob \| blame \| history