m4: Run QEMU under a distro-specific user when possible

Our current defaults are root:wheel on FreeBSD and macOS, root:root everywhere else. Looking at what downstream distributions actually do, we can see that these defaults are overriden the vast majority of the time, with a number of variations showing up in the wild: * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL and... As it turns out, our very own spec file :) * libvirt-qemu:libvirt-qemu -> Used by Debian. * libvirt-qemu:kvm -> Used by Ubuntu. * nobody:nobody -> Used by Arch Linux. Based on this information, we can do a better job at integrating with downstream packages: if the distro-specific user and group already exist on the system then we use them, and if not (or we're building on an unknown OS) we just use root:root as we would have before. This change makes it less likely that people building from source will end up running their guests as root, which is a very desiderable outcome from the security point of view. Signed-off-by: N Andrea Bolognani <abologna@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com>

m4: Run QEMU under a distro-specific user when possible
Our current defaults are root:wheel on FreeBSD and macOS, root:root everywhere else. Looking at what downstream distributions actually do, we can see that these defaults are overriden the vast majority of the time, with a number of variations showing up in the wild: * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL and... As it turns out, our very own spec file :) * libvirt-qemu:libvirt-qemu -> Used by Debian. * libvirt-qemu:kvm -> Used by Ubuntu. * nobody:nobody -> Used by Arch Linux. Based on this information, we can do a better job at integrating with downstream packages: if the distro-specific user and group already exist on the system then we use them, and if not (or we're building on an unknown OS) we just use root:root as we would have before. This change makes it less likely that people building from source will end up running their guests as root, which is a very desiderable outcome from the security point of view. Signed-off-by: N Andrea Bolognani <abologna@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com>
29cd1877 · Andrea Bolognani · c34b3eef · 29cd1877
隐藏空白更改
内联并排

Showing with 36 addition and 2 deletion

m4/virt-driver-qemu.m4 m4/virt-driver-qemu.m4 +36 -2

未找到文件。
--- a/m4/virt-driver-qemu.m4
+++ b/m4/virt-driver-qemu.m4
@@ -44,8 +44,42 @@ AC_DEFUN([LIBVIRT_DRIVER_CHECK_QEMU], [
    default_qemu_user=root
    default_qemu_group=wheel
  else
-    default_qemu_user=root
-    default_qemu_group=root
+    # Try to integrate gracefully with downstream packages by running QEMU
+    # processes using the same user and group they would
+    case $(grep ^ID= /etc/os-release 2>/dev/null) in
+      *arch*)
+        default_qemu_user=nobody
+        default_qemu_group=nobody
+        ;;
+      *centos*|*fedora*|*gentoo*|*rhel*|*suse*)
+        default_qemu_user=qemu
+        default_qemu_group=qemu
+        ;;
+      *debian*)
+        default_qemu_user=libvirt-qemu
+        default_qemu_group=libvirt-qemu
+        ;;
+      *ubuntu*)
+        default_qemu_user=libvirt-qemu
+        default_qemu_group=kvm
+        ;;
+      *)
+        default_qemu_user=root
+        default_qemu_group=root
+        ;;
+    esac
+    # If the expected user and group don't exist, or we haven't hit any
+    # of the cases above because we're running on an unknown OS, the only
+    # sensible fallback is root:root
+    AC_MSG_CHECKING([for QEMU credentials ($default_qemu_user:$default_qemu_group)])
+    if getent passwd "$default_qemu_user" >/dev/null 2>&1 && \
+       getent group "$default_qemu_group" >/dev/null 2>&1; then
+      AC_MSG_RESULT([ok])
+    else
+      AC_MSG_RESULT([not found, using root:root instead])
+      default_qemu_user=root
+      default_qemu_group=root
+    fi
  fi

  if test "x$with_qemu_user" = "xplatform dependent" ; then