qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] os-posix: set groups properly for -runas

From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] [PATCH] os-posix: set groups properly for -runas
Date: Tue, 12 Jul 2011 16:59:06 +0100 
On Sat, Jul 9, 2011 at 10:22 AM, Stefan Hajnoczi
<address@hidden> wrote:
> Andrew Griffiths reports that -runas does not set supplementary group
> IDs.  This means that gid 0 (root) is not dropped when switching to an
> unprivileged user.
>
> Add an initgroups(3) call to use the -runas user's /etc/groups
> membership to update the supplementary group IDs.
>
> Signed-off-by: Stefan Hajnoczi <address@hidden>
> ---
> Note this needs compile testing on various POSIX host platforms.  Tested on
> Linux.  Should work on BSD and Solaris.  initgroups(3) is SVr4/BSD but not in
> POSIX.
>
>  os-posix.c |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)

Are you happy with this patch?  Bumping because security-related.

Regarding portability, Linux, BSD, Solaris, and Mac OS X all provide
initgroups(3).  I think we're good.

Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]