mirror of
https://gitlab.com/qemu-project/qemu
synced 2024-10-15 23:43:55 +00:00
os-posix: set groups properly for -runas
Andrew Griffiths reports that -runas does not set supplementary group IDs. This means that gid 0 (root) is not dropped when switching to an unprivileged user. Add an initgroups(3) call to use the -runas user's /etc/groups membership to update the supplementary group IDs. Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Acked-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
This commit is contained in:
parent
429bef6912
commit
cc4662f964
|
@ -31,6 +31,7 @@
|
||||||
/*needed for MAP_POPULATE before including qemu-options.h */
|
/*needed for MAP_POPULATE before including qemu-options.h */
|
||||||
#include <sys/mman.h>
|
#include <sys/mman.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
|
#include <grp.h>
|
||||||
#include <libgen.h>
|
#include <libgen.h>
|
||||||
|
|
||||||
/* Needed early for CONFIG_BSD etc. */
|
/* Needed early for CONFIG_BSD etc. */
|
||||||
|
@ -199,6 +200,11 @@ static void change_process_uid(void)
|
||||||
fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid);
|
fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) {
|
||||||
|
fprintf(stderr, "Failed to initgroups(\"%s\", %d)\n",
|
||||||
|
user_pwd->pw_name, user_pwd->pw_gid);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
if (setuid(user_pwd->pw_uid) < 0) {
|
if (setuid(user_pwd->pw_uid) < 0) {
|
||||||
fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid);
|
fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid);
|
||||||
exit(1);
|
exit(1);
|
||||||
|
|
Loading…
Reference in a new issue