- 07 8月, 2019 4 次提交
-
-
由 Daniel P. Berrangé 提交于
The virt-login-shell binary is a setuid program that takes no arguments. When invoked it looks at the invoking uid, resolves it to a username, and finds an LXC guest with the same name. It then starts the guest and runs the shell in side the namespaces of the container. Given this set of tasks the virt-login-shell binary needs to connect to libvirtd, make various other libvirt API calls. This is a problem for setuid binaries as various libraries that libvirt.so links to are not safe. For example, they have constructor functions which execute an unknown amount of code that can be influenced by env variables. For this reason virt-login-shell doesn't use libvirt.so, but instead links to a custom, cut down, set of source files sufficient to be a local client only. This introduces a problem for integrating glib2 into libvirt though, as once integrated, there would be no way to build virt-login-shell without an external dependancy on glib2 and this is definitely not setuid safe. To resolve this problem, we split the virt-login-shell binary into two parts. The first part is setuid and does almost nothing. It simply records the original uid+gid, and then invokes the virt-login-shell-helper binary. Crucially when it does this it completes scrubs all environment variables. It is thus safe for virt-login-shell-helper to link to the normal libvirt.so. Any things that constructor functions do cannot be influenced by user control env vars or cli args. Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
We'll shortly be renaming the binary to virt-login-shell-helper and introducing a new tool as virt-login-shell. Renaming the source file first gives a much more usefull diff for the next commit. Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The public API entry points will call virDispatchError which will print to stderr by default. We then jump to a cleanup path which calls virDispatchError again. We tried to stop the entry points printing to stderr, but incorrectly called virSetErrorFunc. It needs a real function that is a no-op, not a NULL function. Once we fix virSetErrorFunc, then we need to use fprintf in the cleanup path instead of virDispatchError. Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
If the 'allowed_users' config setting in virt-login-shell.conf does not exist, we dereference a NULL pointer resulting in a crash. We should check for this case and thus ensure the user is denied access gracefully. Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 03 1月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
In 60046283 we've tried to remove Author(s): lines from comments at the beginning of our source files. Well, in some files while we removed the "Author" line we did not remove the actual list of authors. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 20 9月, 2018 2 次提交
-
-
由 Erik Skultety 提交于
All of the ones being removed are pulled in by internal.h. The only exception is sanlock which expects the application to include <stdint.h> before sanlock's headers, because sanlock prototypes use fixed width int, but they don't include stdint.h themselves, so we have to leave that one in place. Signed-off-by: NErik Skultety <eskultet@redhat.com> Acked-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Erik Skultety 提交于
It doesn't really make sense for us to have stdlib.h and string.h but not stdio.h in the internal.h header. Signed-off-by: NErik Skultety <eskultet@redhat.com> Acked-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 12 4月, 2018 1 次提交
-
-
lxc:///system由 Daniel P. Berrangé 提交于
Historically we have used a bare lxc:/// URI for connecting to LXC. This is different from our practice with QEMU, UML, Parallels, Libxl, BHyve and VirtualBox drivers, which all use a path of '/system' or '/session' or both. By making LXC allow '/system', we have fully standardized on the use of either '/system' or '/session' for all the stateful drivers that run inside libvirtd. Support for lxc:/// is of course maintained for back-compat. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 25 11月, 2016 1 次提交
-
-
由 Michal Privoznik 提交于
We have couple of functions that operate over NULL terminated lits of strings. However, our naming sucks: virStringJoin virStringFreeList virStringFreeListCount virStringArrayHasString virStringGetFirstWithPrefix We can do better: virStringListJoin virStringListFree virStringListFreeCount virStringListHasString virStringListGetFirstWithPrefix Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 19 7月, 2016 1 次提交
-
-
由 John Ferlan 提交于
Commit id '740e4d70' altered the logic to fetch the sysconf values and added a new virConfGetValueStringList which returns -1 on failure, 0 if missing, and 1 if the value was present. However, the caller only checked !shargv which caught Coverity's attention since the following VIR_ALLOC_N(*shargv, 2) would be a NULL ptr deref Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-
- 12 7月, 2016 1 次提交
-
-
由 Daniel P. Berrange 提交于
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 20 6月, 2016 2 次提交
-
-
由 Peter Krempa 提交于
Whine about 'allowed_users' having wrong format rather than 'shell'
-
由 Peter Krempa 提交于
The list certainly isn't zero terminated and it would disallow usage of group 'root'. Pass in the array size and match against it.
-
- 10 6月, 2016 7 次提交
-
-
由 Daniel P. Berrange 提交于
Prior to joining the namespaces of the container, move the process into the containers' cgroups, so that the shell that is subsequently launched is under the container resource constraints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently the shell must be looked up from the config setting in /etc/libvirt/virt-login-shell.conf. This is inflexible if there are containers where different users need different shells. Add add a new 'auto-shell' config parameter which instructs us to query the containers' /etc/passwd for the shell to be exec'd. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virt-login-shell environment will be initialized with an arbitrary number of environment variables determined by the SSH daemon and PAM configuration. Most of these are not relevant inside the container, and at best they are noise and at worst they'll break apps. For example if XDG_RUNTIME_DIR is leaked to the container, it'll break any apps using it, since the directory it points to is only visible to the host OS filesystem, not the container FS. Use clearenv() to blank out everything and then set known good values for PATH, SHELL, USER, LOGNAME HOME and TERM. Everything else is left up to the login shell to initialize. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virDomainFree / virConnectClose methods will reset the last error handle, so we must save the error during cleanup Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently the shell config file parameter must be a list giving the shell path and args. Allow it to be a plain string argument as well. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently we request a login shell by passing the -l argument to the shell. This is either hardcoded, or required to be specified by the user in the virt-login-shell.conf file. The standard way for login programs to request a shell run as a login shell is to modify the argv passed to execve() so that argv[0] contains the relative shell filename prefixed with a zero. eg instead of doing const char **shellargs = ["/bin/bash", "-l", NULL]; execve(shellargs[0], shellargs, env); We should be doing const char **shellargs = ["-bash", NULL]; execve("/bin/bash", shellargs, env); Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virt-login-shell program is supposed to look like a regular shell to clients. Login services like sshd expect the shell to accept a '-c cmdstring' argument to specify a command to launch instead of presenting an interactive prompt. We can implement this by simply passing the '-c cmdstring' data straight through to the real shell we use. This does not open any security holes, since the command is not run until we're inside the container namespaces. This allows scp to work for users with virt-login-shell. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 15 4月, 2016 1 次提交
-
-
由 Cole Robinson 提交于
Take setlocale/gettext error handling pattern from tools/virsh-* and use it for all standalone binaries via a new shared virGettextInitialize routine. The virsh* pattern differed slightly from other callers. All users now consistently: * Ignore setlocale errors. virsh has done this forever, presumably for good reason. This has been partially responsible for some bug reports: https://bugzilla.redhat.com/show_bug.cgi?id=1312688 https://bugzilla.redhat.com/show_bug.cgi?id=1026514 https://bugzilla.redhat.com/show_bug.cgi?id=1016158 * Report the failed function name * Report strerror
-
- 25 12月, 2015 1 次提交
-
-
由 Michal Privoznik 提交于
The manpage for sysconf() suggest including unistd.h as the function is declared there. Even though we are not hitting any compile issues currently, let's include the correct header file instead of relying on some hidden include chain. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 15 9月, 2014 1 次提交
-
-
由 John Ferlan 提交于
Coverity complained that checking the return of virDomainCreate() was not consistent amongst the callers - so added the return check to the objecteventtest.c and adjust the virt-login-shell to compare < 0 rather than just non zero for the failure condition.
-
- 25 3月, 2014 1 次提交
-
-
由 Ján Tomko 提交于
-
- 06 3月, 2014 1 次提交
-
-
由 Eric Blake 提交于
Coverity spotted that 'nfdlist' (ssize_t) could be -1, but that we were using 'i' (size_t) to iterate over the list at cleanup, with crashing results because it promotes to a really big unsigned number. * tools/virt-login-shell.c (main): Avoid treating -1 as unsigned. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 04 3月, 2014 4 次提交
-
-
由 Eric Blake 提交于
virt-login-shell was exiting with status 0, regardless of what the wrapped shell returned. This is unkind to users; we should behave more like env(1), nice(1), su(1), and other wrapper programs, by preserving the invoked application's status (which includes the distinction between death due to signal vs. normal death). * tools/virt-login-shell.c (main): Pass through child exit status. * tools/virt-login-shell.pod: Document exit status. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Note that 'virsh lxc-enter-namespace' must double-fork, for two reasons: some namespaces can only be done from a single thread, while virsh is multithreaded; and because virsh can be run in batch mode where we must not corrupt the namespace of that execution upon return from the subsidiary command. When virt-login-shell was first written, it blindly copied from 'virsh lxc-enter-namespace', including the double-fork. But neither of the reasons for double forking apply to virt-login-shell (we are single-threaded, and we have nothing to do after the child completes that would require us to preserve a namespace), so we can simplify life by using a single fork. In turn, this will make it easier for a future patch to pass the child's exit status on to the invoking shell. In flattening to a single fork, note that closing the fds must be done after fork, because the parent process still needs to use fds to control the virConnectPtr; meanwhile, chdir can be done prior to forking (in fact, it's easier to report errors on anything attempted before forking). * tools/virt-login-shell.c (main): Single rather than double fork. (virLoginShellFini): Delete, by inlining actions instead. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
The old semantics of virFork() violates the priciple of good usability: it requires the caller to check the pid argument after use, *even when virFork returned -1*, in order to properly abort a child process that failed setup done immediately after fork() - that is, the caller must call _exit() in the child. While uses in virfile.c did this correctly, uses in 'virsh lxc-enter-namespace' and 'virt-login-shell' would happily return from the calling function in both the child and the parent, leading to very confusing results. [Thankfully, I found the problem by inspection, and can't actually trigger the double return on error without an LD_PRELOAD library.] It is much better if the semantics of virFork are impossible to abuse. Looking at virFork(), the parent could only ever return -1 with a non-negative pid if it misused pthread_sigmask, but this never happens. Up until this patch series, the child could return -1 with non-negative pid if it fails to set up signals correctly, but we recently fixed that to make the child call _exit() at that point instead of forcing the caller to do it. Thus, the return value and contents of the pid argument are now redundant (a -1 return now happens only for failure to fork, a child 0 return only happens for a successful 0 pid, and a parent 0 return only happens for a successful non-zero pid), so we might as well return the pid directly rather than an integer of whether it succeeded or failed; this is also good from the interface design perspective as users are already familiar with fork() semantics. One last change in this patch: before returning the pid directly, I found cases where using virProcessWait unconditionally on a cleanup path of a virFork's -1 pid return would be nicer if there were a way to avoid it overwriting an earlier message. While such paths are a bit harder to come by with my change to a direct pid return, I decided to keep the virProcessWait change in this patch. * src/util/vircommand.h (virFork): Change signature. * src/util/vircommand.c (virFork): Guarantee that child will only return on success, to simplify callers. Return pid rather than status, now that the situations are always the same. (virExec): Adjust caller, also avoid open-coding process death. * src/util/virprocess.c (virProcessWait): Tweak semantics when pid is -1. (virProcessRunInMountNamespace): Adjust caller. * src/util/virfile.c (virFileAccessibleAs, virFileOpenForked) (virDirCreate): Likewise. * tools/virt-login-shell.c (main): Likewise. * tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise. * tests/commandtest.c (test23): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Right now, a caller waiting for a child process either requires the child to have status 0, or must use WIFEXITED() and friends itself. But in many cases, we want the middle ground of treating fatal signals as an error, and directly accessing the normal exit value without having to use WEXITSTATUS(), in order to easily detect an expected non-zero exit status. This adds the middle ground to the low-level virProcessWait; the next patch will add it to virCommand. * src/util/virprocess.h (virProcessWait): Alter signature. * src/util/virprocess.c (virProcessWait): Add parameter. (virProcessRunInMountNamespace): Adjust caller. * src/util/vircommand.c (virCommandWait): Likewise. * src/util/virfile.c (virFileAccessibleAs): Likewise. * src/lxc/lxc_container.c (lxcContainerHasReboot) (lxcContainerAvailable): Likewise. * daemon/libvirtd.c (daemonForkIntoBackground): Likewise. * tools/virt-login-shell.c (main): Likewise. * tools/virsh-domain.c (cmdLxcEnterNamespace): Likewise. * tests/testutils.c (virtTestCaptureProgramOutput): Likewise. * tests/commandtest.c (test23): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 20 1月, 2014 1 次提交
-
-
由 Thorsten Behrens 提交于
-
- 10 1月, 2014 1 次提交
-
-
由 Eric Blake 提交于
Our fixes for CVE-2013-4400 were so effective at "fixing" bugs in virt-login-shell that we ended up fixing it into a useless do-nothing program. Commit 3e2f27e1 picked the name LIBVIRT_SETUID_RPC_CLIENT for the witness macro when we are doing secure compilation. But commit 9cd6a57d checked whether the name IN_VIRT_LOGIN_SHELL, from an earlier version of the patch series, was defined; with the net result that virt-login-shell invariably detected that it was setuid and failed virInitialize. Commit b7fcc799 closed all fds larger than stderr, but in the wrong place. Looking at the larger context, we mistakenly did the close in between obtaining the set of namespace fds, then actually using those fds to switch namespace, which means that virt-login-shell will ALWAYS fail. This is the minimal patch to fix the regressions, although further patches are also worth having to clean up poor semantics of the resulting program (for example, it is rude to not pass on the exit status of the wrapped program back to the invoking shell). * tools/virt-login-shell.c (main): Don't close fds until after namespace swap. * src/libvirt.c (virGlobalInit): Use correct macro. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 24 12月, 2013 1 次提交
-
-
由 Eric Blake 提交于
I noticed a few odd things in 'virt-login-shell --help' output. * tools/virt-login-shell.c (usage): At most one option accepted, drop trailing colon. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 21 10月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
The virt-login-shell binary shouldn't need to execute programs relying on $PATH, but just in case set a fixed $PATH value of /bin:/usr/bin Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We don't want to inherit any FDs in the new namespace except for the stdio FDs. Explicitly close them all, just in case some do not have the close-on-exec flag set. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 14 8月, 2013 1 次提交
-
-
由 Ruben Kerkhof 提交于
and wrap some long lines Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 13 8月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
Address a number of code, style and docs issues identified in review of virt-login-shell after it was merged. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 09 8月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
The virLoginShellAllowedUser method must not free the 'groups' parameter it is given, as that is owned by the caller. The virLoginShellAllowedUser method should be checking '!*ptr' (ie empty string) rather than '!ptr' (NULL string) since the latter cannot be true. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Jim Fehlig 提交于
virt-login-shell.c was failing to compile with CC virt_login_shell-virt-login-shell.o virt-login-shell.c: In function 'main': virt-login-shell.c:205:5: error: implicit declaration of function 'setlocale' [-Werror=implicit-function-declaration] virt-login-shell.c:205:5: error: nested extern declaration of 'setlocale' [-Werror=nested-externs] virt-login-shell.c:205:20: error: 'LC_ALL' undeclared (first use in this function)
-
- 08 8月, 2013 1 次提交
-
-
由 Dan Walsh 提交于
Add a virt-login-shell binary that can be set as a user's shell, such that when they login, it causes them to enter the LXC container with a name matching their user name. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-