Comment 4 for bug 807893
Revision history for this message
| Stefan Hajnoczi (stefanha) wrote Re: [Qemu-devel] [PATCH] os-posix: set groups properly for -runas | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
On Sat, Jul 9, 2011 at 10:22 AM, Stefan Hajnoczi
<email address hidden> wrote:
> Andrew Griffiths reports that -runas does not set supplementary group
> IDs. This means that gid 0 (root) is not dropped when switching to an
> unprivileged user.
>
> Add an initgroups(3) call to use the -runas user's /etc/groups
> membership to update the supplementary group IDs.
>
> Signed-off-by: Stefan Hajnoczi <email address hidden>
> ---
> Note this needs compile testing on various POSIX host platforms. Tested on
> Linux. Should work on BSD and Solaris. initgroups(3) is SVr4/BSD but not in
> POSIX.
>
> os-posix.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
Are you happy with this patch? Bumping because security-related.
Regarding portability, Linux, BSD, Solaris, and Mac OS X all provide
initgroups(3). I think we're good.
Stefan