NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

util: add virCommandSetUID and virCommandSetGID

Browse Source 
If a uid and/or gid is specified for a command, it will be set just
after the user-supplied post-fork "hook" function is called.

The intent is that this can replace user hook functions that set
uid/gid. This moves the setting of uid/gid and dropping of
capabilities closer to each other, which is important since the two
should really be done at the same time (libcapng provides a single
function that does both, which we will be unable to use, but want to
mimic as closely as possible).
This commit is contained in:
Laine Stump 2013-01-30 14:47:56 -05:00
parent ad5cb11be6
commit 417182b072
3 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libvirt_private.syms
View File

@ -158,12 +158,14 @@ virCommandRun;
virCommandRunAsync; virCommandRunAsync;
virCommandSetErrorBuffer; virCommandSetErrorBuffer;
virCommandSetErrorFD; virCommandSetErrorFD;
virCommandSetGID;
virCommandSetInputBuffer; virCommandSetInputBuffer;
virCommandSetInputFD; virCommandSetInputFD;
virCommandSetOutputBuffer; virCommandSetOutputBuffer;
virCommandSetOutputFD; virCommandSetOutputFD;
virCommandSetPidFile; virCommandSetPidFile;
virCommandSetPreExecHook; virCommandSetPreExecHook;
virCommandSetUID;
virCommandSetWorkingDirectory; virCommandSetWorkingDirectory;
virCommandToString; virCommandToString;
virCommandTransferFD; virCommandTransferFD;

29
src/util/vircommand.c
View File

@ -100,6 +100,8 @@ struct _virCommand {
char *pidfile; char *pidfile;
bool reap; bool reap;
uid_t uid;
gid_t gid;
unsigned long long capabilities; unsigned long long capabilities;
}; };
@ -604,6 +606,13 @@ virExec(virCommandPtr cmd)
goto fork_error; goto fork_error;
} }
if (cmd->uid != (uid_t)-1 || cmd->gid != (gid_t)-1) {
VIR_DEBUG("Setting child uid:gid to %d:%d",
(int)cmd->uid, (int)cmd->gid);
if (virSetUIDGID(cmd->uid, cmd->gid) < 0)
goto fork_error;
}
if (cmd->pwd) { if (cmd->pwd) {
VIR_DEBUG("Running child in %s", cmd->pwd); VIR_DEBUG("Running child in %s", cmd->pwd);
if (chdir(cmd->pwd) < 0) { if (chdir(cmd->pwd) < 0) {
@ -765,6 +774,8 @@ virCommandNewArgs(const char *const*args)
cmd->infd = cmd->inpipe = cmd->outfd = cmd->errfd = -1; cmd->infd = cmd->inpipe = cmd->outfd = cmd->errfd = -1;
cmd->pid = -1; cmd->pid = -1;
cmd->uid = -1;
cmd->gid = -1;
virCommandAddArgSet(cmd, args); virCommandAddArgSet(cmd, args);
@ -903,6 +914,24 @@ virCommandSetPidFile(virCommandPtr cmd, const char *pidfile)
} }
void
virCommandSetGID(virCommandPtr cmd, gid_t gid)
{
if (!cmd || cmd->has_error)
return;
cmd->gid = gid;
}
void
virCommandSetUID(virCommandPtr cmd, uid_t uid)
{
if (!cmd || cmd->has_error)
return;
cmd->uid = uid;
}
/** /**
* virCommandClearCaps: * virCommandClearCaps:
* @cmd: the command to modify * @cmd: the command to modify

6
src/util/vircommand.h
View File

@ -1,7 +1,7 @@
/* /*
* vircommand.h: Child command execution * vircommand.h: Child command execution
* *
* Copyright (C) 2010-2011 Red Hat, Inc. * Copyright (C) 2010-2013 Red Hat, Inc.
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public * modify it under the terms of the GNU Lesser General Public
@ -61,6 +61,10 @@ void virCommandTransferFD(virCommandPtr cmd,
void virCommandSetPidFile(virCommandPtr cmd, void virCommandSetPidFile(virCommandPtr cmd,
const char *pidfile) ATTRIBUTE_NONNULL(2); const char *pidfile) ATTRIBUTE_NONNULL(2);
void virCommandSetGID(virCommandPtr cmd, gid_t gid);
void virCommandSetUID(virCommandPtr cmd, uid_t uid);
void virCommandClearCaps(virCommandPtr cmd); void virCommandClearCaps(virCommandPtr cmd);
void virCommandAllowCap(virCommandPtr cmd, void virCommandAllowCap(virCommandPtr cmd,