Add helpers for getting env vars in a setuid environment

Care must be taken accessing env variables when running
setuid. Introduce a virGetEnvAllowSUID for env vars which
are safe to use in a setuid environment, and another
virGetEnvBlockSUID for vars which are not safe. Also add
a virIsSUID helper method for any other non-env var code
to use.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit ae53e5d1)
上级 90171893
......@@ -93,6 +93,7 @@ recv
regex
random_r
sched
secure_getenv
send
setenv
setsockopt
......
......@@ -2042,6 +2042,8 @@ virFindFCHostCapableVport;
virFormatIntDecimal;
virGetDeviceID;
virGetDeviceUnprivSGIO;
virGetEnvAllowSUID;
virGetEnvBlockSUID;
virGetFCHostNameByWWN;
virGetGroupID;
virGetGroupList;
......@@ -2060,6 +2062,7 @@ virIndexToDiskName;
virIsCapableFCHost;
virIsCapableVport;
virIsDevMapperDevice;
virIsSUID;
virManageVport;
virParseNumber;
virParseOwnershipIds;
......
......@@ -2116,3 +2116,42 @@ cleanup:
return rc;
}
/**
* virGetEnvBlockSUID:
* @name: the environment variable name
*
* Obtain an environment variable which is unsafe to
* use when running setuid. If running setuid, a NULL
* value will be returned
*/
const char *virGetEnvBlockSUID(const char *name)
{
return secure_getenv(name);
}
/**
* virGetEnvBlockSUID:
* @name: the environment variable name
*
* Obtain an environment variable which is safe to
* use when running setuid. The value will be returned
* even when running setuid
*/
const char *virGetEnvAllowSUID(const char *name)
{
return getenv(name);
}
/**
* virIsSUID:
* Return a true value if running setuid. Does not
* check for elevated capabilities bits.
*/
bool virIsSUID(void)
{
return getuid() != geteuid();
}
......@@ -172,4 +172,8 @@ int virCompareLimitUlong(unsigned long long a, unsigned long b);
int virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr);
const char *virGetEnvBlockSUID(const char *name);
const char *virGetEnvAllowSUID(const char *name);
bool virIsSUID(void);
#endif /* __VIR_UTIL_H__ */
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
新手
引导
客服 返回
顶部