External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

util: drop capabilities immediately after changing uid/gid of child

Browse Source 
This is an interim measure to make sure everything still works in this
order. The next step will be to perform capabilities drop and
setuid/gid as a single operation (which is the only way to keep any
capabilities when switching to a non-root uid).
This commit is contained in:
Laine Stump 2013-02-01 16:26:25 -05:00
parent 0345c7281b
commit c0e3e685cd
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/util/vircommand.c
View File

@ -652,6 +652,12 @@ virExec(virCommandPtr cmd)
goto fork_error;
}
/* The steps above may need todo something privileged, so
* we delay clearing capabilities until the last minute */
if (cmd->capabilities || (cmd->flags & VIR_EXEC_CLEAR_CAPS))
if (virSetCapabilities(cmd->capabilities) < 0)
goto fork_error;
if (cmd->pwd) {
VIR_DEBUG("Running child in %s", cmd->pwd);
if (chdir(cmd->pwd) < 0) {
@ -670,12 +676,6 @@ virExec(virCommandPtr cmd)
goto fork_error;
}
/* The steps above may need todo something privileged, so
* we delay clearing capabilities until the last minute */
if (cmd->capabilities || (cmd->flags & VIR_EXEC_CLEAR_CAPS))
if (virSetCapabilities(cmd->capabilities) < 0)
goto fork_error;
/* Close logging again to ensure no FDs leak to child */
virLogReset();