spec: Restrict virt-login-shell usage

https://bugzilla.redhat.com/show_bug.cgi?id=1033614 As virt-login-shell is an SUID binary, we should restrict its usage to just the users chosen by an administrator to use virt-login-shell as their login shell. This can easily be done by making the binary executable only by users from a new virtlogin group.

spec: Restrict virt-login-shell usage
https://bugzilla.redhat.com/show_bug.cgi?id=1033614 As virt-login-shell is an SUID binary, we should restrict its usage to just the users chosen by an administrator to use virt-login-shell as their login shell. This can easily be done by making the binary executable only by users from a new virtlogin group.
0ee23643 · Jiri Denemark · cc38d68d · 0ee23643
隐藏空白更改
内联并排

Showing with 7 addition and 1 deletion

libvirt.spec.in libvirt.spec.in +7 -1

未找到文件。
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1727,6 +1727,12 @@ if getent group sanlock > /dev/null ; then
 fi
 %endif

+%if %{with_lxc}
+%pre login-shell
+getent group virtlogin >/dev/null || groupadd -r virtlogin
+exit 0
+%endif
+
 %files
 %defattr(-, root, root)

@@ -2072,7 +2078,7 @@ fi

 %if %{with_lxc}
 %files login-shell
-%attr(4755, root, root) %{_bindir}/virt-login-shell
+%attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
 %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
 %{_mandir}/man1/virt-login-shell.1*
 %endif