1. 07 8月, 2019 4 次提交
    • D
      tools: split virt-login-shell into two binaries · 4feeb2d9
      Daniel P. Berrangé 提交于
      The virt-login-shell binary is a setuid program that takes
      no arguments. When invoked it looks at the invoking uid,
      resolves it to a username, and finds an LXC guest with the
      same name. It then starts the guest and runs the shell in
      side the namespaces of the container.
      
      Given this set of tasks the virt-login-shell binary needs
      to connect to libvirtd, make various other libvirt API calls.
      This is a problem for setuid binaries as various libraries
      that libvirt.so links to are not safe. For example, they have
      constructor functions which execute an unknown amount of code
      that can be influenced by env variables.
      
      For this reason virt-login-shell doesn't use libvirt.so,
      but instead links to a custom, cut down, set of source files
      sufficient to be a local client only.
      
      This introduces a problem for integrating glib2 into libvirt
      though, as once integrated, there would be no way to build
      virt-login-shell without an external dependancy on glib2 and
      this is definitely not setuid safe.
      
      To resolve this problem, we split the virt-login-shell binary
      into two parts. The first part is setuid and does almost
      nothing. It simply records the original uid+gid, and then
      invokes the virt-login-shell-helper binary. Crucially when
      it does this it completes scrubs all environment variables.
      It is thus safe for virt-login-shell-helper to link to the
      normal libvirt.so. Any things that constructor functions
      do cannot be influenced by user control env vars or cli
      args.
      Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      4feeb2d9
    • D
      tools: rename source for virt-login-shell · 46754ffb
      Daniel P. Berrangé 提交于
      We'll shortly be renaming the binary to virt-login-shell-helper
      and introducing a new tool as virt-login-shell. Renaming the
      source file first gives a much more usefull diff for the next
      commit.
      Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      46754ffb
    • D
      tools: fix double error reporting in virt-login-shell · cd1f25a9
      Daniel P. Berrangé 提交于
      The public API entry points will call virDispatchError which
      will print to stderr by default. We then jump to a cleanup
      path which calls virDispatchError again.
      
      We tried to stop the entry points printing to stderr, but
      incorrectly called virSetErrorFunc. It needs a real function
      that is a no-op, not a NULL function.
      
      Once we fix virSetErrorFunc, then we need to use fprintf in
      the cleanup path instead of virDispatchError.
      Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      cd1f25a9
    • D
      tools: fix crash in virt-login-shell if config doesn't exist · 275bcbeb
      Daniel P. Berrangé 提交于
      If the 'allowed_users' config setting in virt-login-shell.conf
      does not exist, we dereference a NULL pointer resulting in a
      crash. We should check for this case and thus ensure the user
      is denied access gracefully.
      Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      275bcbeb
  2. 03 1月, 2019 1 次提交
  3. 20 9月, 2018 2 次提交
  4. 12 4月, 2018 1 次提交
  5. 25 11月, 2016 1 次提交
    • M
      virstring: Unify string list function names · c2a5a4e7
      Michal Privoznik 提交于
      We have couple of functions that operate over NULL terminated
      lits of strings. However, our naming sucks:
      
      virStringJoin
      virStringFreeList
      virStringFreeListCount
      virStringArrayHasString
      virStringGetFirstWithPrefix
      
      We can do better:
      
      virStringListJoin
      virStringListFree
      virStringListFreeCount
      virStringListHasString
      virStringListGetFirstWithPrefix
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      c2a5a4e7
  6. 19 7月, 2016 1 次提交
  7. 12 7月, 2016 1 次提交
  8. 20 6月, 2016 2 次提交
  9. 10 6月, 2016 7 次提交
  10. 15 4月, 2016 1 次提交
  11. 25 12月, 2015 1 次提交
  12. 15 9月, 2014 1 次提交
    • J
      Resolve Coverity CHECKED_RETURN · 07334ccb
      John Ferlan 提交于
      Coverity complained that checking the return of virDomainCreate()
      was not consistent amongst the callers - so added the return check
      to the objecteventtest.c and adjust the virt-login-shell to compare
      < 0 rather than just non zero for the failure condition.
      07334ccb
  13. 25 3月, 2014 1 次提交
  14. 06 3月, 2014 1 次提交
    • E
      virt-login-shell: silence coverity warning · cb9bd796
      Eric Blake 提交于
      Coverity spotted that 'nfdlist' (ssize_t) could be -1, but that we
      were using 'i' (size_t) to iterate over the list at cleanup, with
      crashing results because it promotes to a really big unsigned number.
      
      * tools/virt-login-shell.c (main): Avoid treating -1 as unsigned.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      cb9bd796
  15. 04 3月, 2014 4 次提交
    • E
      virt-login-shell: saner exit value · 730fc962
      Eric Blake 提交于
      virt-login-shell was exiting with status 0, regardless of what the
      wrapped shell returned.  This is unkind to users; we should behave
      more like env(1), nice(1), su(1), and other wrapper programs, by
      preserving the invoked application's status (which includes the
      distinction between death due to signal vs. normal death).
      
      * tools/virt-login-shell.c (main): Pass through child exit status.
      * tools/virt-login-shell.pod: Document exit status.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      730fc962
    • E
      virt-login-shell: use single instead of double fork · 4594a33b
      Eric Blake 提交于
      Note that 'virsh lxc-enter-namespace' must double-fork, for two
      reasons: some namespaces can only be done from a single thread,
      while virsh is multithreaded; and because virsh can be run in
      batch mode where we must not corrupt the namespace of that
      execution upon return from the subsidiary command.
      
      When virt-login-shell was first written, it blindly copied from
      'virsh lxc-enter-namespace', including the double-fork.  But
      neither of the reasons for double forking apply to
      virt-login-shell (we are single-threaded, and we have nothing to
      do after the child completes that would require us to preserve a
      namespace), so we can simplify life by using a single fork.
      In turn, this will make it easier for a future patch to pass the
      child's exit status on to the invoking shell.
      
      In flattening to a single fork, note that closing the fds must
      be done after fork, because the parent process still needs to
      use fds to control the virConnectPtr; meanwhile, chdir can be
      done prior to forking (in fact, it's easier to report errors
      on anything attempted before forking).
      
      * tools/virt-login-shell.c (main): Single rather than double fork.
      (virLoginShellFini): Delete, by inlining actions instead.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      4594a33b
    • E
      virFork: simplify semantics · 25f87817
      Eric Blake 提交于
      The old semantics of virFork() violates the priciple of good
      usability: it requires the caller to check the pid argument
      after use, *even when virFork returned -1*, in order to properly
      abort a child process that failed setup done immediately after
      fork() - that is, the caller must call _exit() in the child.
      While uses in virfile.c did this correctly, uses in 'virsh
      lxc-enter-namespace' and 'virt-login-shell' would happily return
      from the calling function in both the child and the parent,
      leading to very confusing results. [Thankfully, I found the
      problem by inspection, and can't actually trigger the double
      return on error without an LD_PRELOAD library.]
      
      It is much better if the semantics of virFork are impossible
      to abuse.  Looking at virFork(), the parent could only ever
      return -1 with a non-negative pid if it misused pthread_sigmask,
      but this never happens.  Up until this patch series, the child
      could return -1 with non-negative pid if it fails to set up
      signals correctly, but we recently fixed that to make the child
      call _exit() at that point instead of forcing the caller to do
      it.  Thus, the return value and contents of the pid argument are
      now redundant (a -1 return now happens only for failure to fork,
      a child 0 return only happens for a successful 0 pid, and a
      parent 0 return only happens for a successful non-zero pid),
      so we might as well return the pid directly rather than an
      integer of whether it succeeded or failed; this is also good
      from the interface design perspective as users are already
      familiar with fork() semantics.
      
      One last change in this patch: before returning the pid directly,
      I found cases where using virProcessWait unconditionally on a
      cleanup path of a virFork's -1 pid return would be nicer if there
      were a way to avoid it overwriting an earlier message.  While
      such paths are a bit harder to come by with my change to a direct
      pid return, I decided to keep the virProcessWait change in this
      patch.
      
      * src/util/vircommand.h (virFork): Change signature.
      * src/util/vircommand.c (virFork): Guarantee that child will only
      return on success, to simplify callers.  Return pid rather than
      status, now that the situations are always the same.
      (virExec): Adjust caller, also avoid open-coding process death.
      * src/util/virprocess.c (virProcessWait): Tweak semantics when pid
      is -1.
      (virProcessRunInMountNamespace): Adjust caller.
      * src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
      (virDirCreate): Likewise.
      * tools/virt-login-shell.c (main): Likewise.
      * tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
      * tests/commandtest.c (test23): Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      25f87817
    • E
      util: make it easier to grab only regular process exit · c72e76c3
      Eric Blake 提交于
      Right now, a caller waiting for a child process either requires
      the child to have status 0, or must use WIFEXITED() and friends
      itself.  But in many cases, we want the middle ground of treating
      fatal signals as an error, and directly accessing the normal exit
      value without having to use WEXITSTATUS(), in order to easily
      detect an expected non-zero exit status.  This adds the middle
      ground to the low-level virProcessWait; the next patch will add
      it to virCommand.
      
      * src/util/virprocess.h (virProcessWait): Alter signature.
      * src/util/virprocess.c (virProcessWait): Add parameter.
      (virProcessRunInMountNamespace): Adjust caller.
      * src/util/vircommand.c (virCommandWait): Likewise.
      * src/util/virfile.c (virFileAccessibleAs): Likewise.
      * src/lxc/lxc_container.c (lxcContainerHasReboot)
      (lxcContainerAvailable): Likewise.
      * daemon/libvirtd.c (daemonForkIntoBackground): Likewise.
      * tools/virt-login-shell.c (main): Likewise.
      * tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise.
      * tests/testutils.c (virtTestCaptureProgramOutput): Likewise.
      * tests/commandtest.c (test23): Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      c72e76c3
  16. 20 1月, 2014 1 次提交
  17. 10 1月, 2014 1 次提交
    • E
      virt-login-shell: fix regressions in behavior · 3d007cb5
      Eric Blake 提交于
      Our fixes for CVE-2013-4400 were so effective at "fixing" bugs
      in virt-login-shell that we ended up fixing it into a useless
      do-nothing program.
      
      Commit 3e2f27e1 picked the name LIBVIRT_SETUID_RPC_CLIENT for
      the witness macro when we are doing secure compilation.  But
      commit 9cd6a57d checked whether the name IN_VIRT_LOGIN_SHELL,
      from an earlier version of the patch series, was defined; with
      the net result that virt-login-shell invariably detected that
      it was setuid and failed virInitialize.
      
      Commit b7fcc799 closed all fds larger than stderr, but in the
      wrong place.  Looking at the larger context, we mistakenly did
      the close in between obtaining the set of namespace fds, then
      actually using those fds to switch namespace, which means that
      virt-login-shell will ALWAYS fail.
      
      This is the minimal patch to fix the regressions, although
      further patches are also worth having to clean up poor
      semantics of the resulting program (for example, it is rude to
      not pass on the exit status of the wrapped program back to the
      invoking shell).
      
      * tools/virt-login-shell.c (main): Don't close fds until after
      namespace swap.
      * src/libvirt.c (virGlobalInit): Use correct macro.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      3d007cb5
  18. 24 12月, 2013 1 次提交
  19. 21 10月, 2013 2 次提交
  20. 14 8月, 2013 1 次提交
  21. 13 8月, 2013 1 次提交
  22. 09 8月, 2013 2 次提交
    • D
      Fix double-free and broken logic in virt-login-shell · ac692e3a
      Daniel P. Berrange 提交于
      The virLoginShellAllowedUser method must not free the 'groups'
      parameter it is given, as that is owned by the caller.
      
      The virLoginShellAllowedUser method should be checking
      '!*ptr' (ie empty string) rather than '!ptr' (NULL string)
      since the latter cannot be true.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      ac692e3a
    • J
      build: fix compilation of virt-login-shell.c · 26b8a4dd
      Jim Fehlig 提交于
      virt-login-shell.c was failing to compile with
      
      CC       virt_login_shell-virt-login-shell.o
      virt-login-shell.c: In function 'main':
      virt-login-shell.c:205:5: error: implicit declaration of function 'setlocale' [-Werror=implicit-function-declaration]
      virt-login-shell.c:205:5: error: nested extern declaration of 'setlocale' [-Werror=nested-externs]
      virt-login-shell.c:205:20: error: 'LC_ALL' undeclared (first use in this function)
      26b8a4dd
  23. 08 8月, 2013 1 次提交