From: Markus Armbruster <armbru@redhat.com>
To: Ian Jackson <ian.jackson@citrix.com>
Cc: Juergen Gross <jgross@suse.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Ian Jackson <ian.jackson@eu.citrix.com>,
qemu-devel@nongnu.org, Ross Lagerwall <ross.lagerwall@citrix.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Anthony PERARD <anthony.perard@citrix.com>,
xen-devel@lists.xenproject.org
Subject: Re: [Qemu-devel] [PATCH 08/12] os-posix: Provide new -runas <uid>:<gid> facility
Date: Mon, 16 Apr 2018 18:17:46 +0200 [thread overview]
Message-ID: <87tvsbm8gl.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <23252.44539.262716.947319@mariner.uk.xensource.com> (Ian Jackson's message of "Mon, 16 Apr 2018 15:06:51 +0100")
Ian Jackson <ian.jackson@citrix.com> writes:
> Thanks for the review. Taking your comments out of order slightly:
>
> Markus Armbruster writes ("Re: [Qemu-devel] [PATCH 08/12] os-posix: Provide new -runas <uid>:<gid> facility"):
>> [change_process_uid] is the only user of @user_pwd, @user_uid, @user_gid.
>>
>> Have you considered replacing global @user_pwd by @user_uid, @user_gid
>> and @user_name? --runas with numeric uid and gid would leave @user_name
>> null.
>
> That would defer the getpwnam from argument parsing to os_setup_post.
> I think that's undesriable.
No argument. But why can't os_parse_cmd_args() call getpwnam() as it
does now, then store user_pwd->pw_uid, ->pw_gid and ->pw_name instead of
user_pwd? Store a null name when it parses the argument as UID:GID.
>> Ian Jackson <ian.jackson@eu.citrix.com> writes:
>> > static struct passwd *user_pwd;
>> > +static uid_t user_uid = (uid_t)-1;
>> > +static gid_t user_gid = (gid_t)-1;
>>
>> As we'll see below, @user_pwd->pw_uid, @user_pwd_pw_gid take precedence
>> over @user_uid, @user_gid. Awkward.
>
> My patch has the right behaviour: each -runas completely overrides the
> previous one. -runas that sets user_{uid,gid} always clears user_pwd
> on the way. So user_pwd can only be set if the most recent -runas was
> a name, and then we should honour the name.
>
> This is rather obscure. I think you are right that this is confusing.
> It ought to be clearer.
>
> I will
> - add a comment next to these three variables saying they must
> all be set at the same time
> - explicitly (redundantly) clear user_pwd in os_parse_runas_uid_gid
> - explicitly set user_{uid,gid} to -1 when -runas gets a
> success from getpwnam
> - assert in change_process_uid that the combination is legal
Yes, that's better. But perhaps you like my idea above.
[...]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
WARNING: multiple messages have this Message-ID (diff)
From: Markus Armbruster <armbru@redhat.com>
To: Ian Jackson <ian.jackson@citrix.com>
Cc: Juergen Gross <jgross@suse.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Ian Jackson <ian.jackson@eu.citrix.com>,
qemu-devel@nongnu.org, Ross Lagerwall <ross.lagerwall@citrix.com>,
xen-devel@lists.xenproject.org,
Anthony PERARD <anthony.perard@citrix.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 08/12] os-posix: Provide new -runas <uid>:<gid> facility
Date: Mon, 16 Apr 2018 18:17:46 +0200 [thread overview]
Message-ID: <87tvsbm8gl.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <23252.44539.262716.947319@mariner.uk.xensource.com> (Ian Jackson's message of "Mon, 16 Apr 2018 15:06:51 +0100")
Ian Jackson <ian.jackson@citrix.com> writes:
> Thanks for the review. Taking your comments out of order slightly:
>
> Markus Armbruster writes ("Re: [Qemu-devel] [PATCH 08/12] os-posix: Provide new -runas <uid>:<gid> facility"):
>> [change_process_uid] is the only user of @user_pwd, @user_uid, @user_gid.
>>
>> Have you considered replacing global @user_pwd by @user_uid, @user_gid
>> and @user_name? --runas with numeric uid and gid would leave @user_name
>> null.
>
> That would defer the getpwnam from argument parsing to os_setup_post.
> I think that's undesriable.
No argument. But why can't os_parse_cmd_args() call getpwnam() as it
does now, then store user_pwd->pw_uid, ->pw_gid and ->pw_name instead of
user_pwd? Store a null name when it parses the argument as UID:GID.
>> Ian Jackson <ian.jackson@eu.citrix.com> writes:
>> > static struct passwd *user_pwd;
>> > +static uid_t user_uid = (uid_t)-1;
>> > +static gid_t user_gid = (gid_t)-1;
>>
>> As we'll see below, @user_pwd->pw_uid, @user_pwd_pw_gid take precedence
>> over @user_uid, @user_gid. Awkward.
>
> My patch has the right behaviour: each -runas completely overrides the
> previous one. -runas that sets user_{uid,gid} always clears user_pwd
> on the way. So user_pwd can only be set if the most recent -runas was
> a name, and then we should honour the name.
>
> This is rather obscure. I think you are right that this is confusing.
> It ought to be clearer.
>
> I will
> - add a comment next to these three variables saying they must
> all be set at the same time
> - explicitly (redundantly) clear user_pwd in os_parse_runas_uid_gid
> - explicitly set user_{uid,gid} to -1 when -runas gets a
> success from getpwnam
> - assert in change_process_uid that the combination is legal
Yes, that's better. But perhaps you like my idea above.
[...]
next prev parent reply other threads:[~2018-04-16 16:17 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 19:02 [PATCH v6.1 00/11] xen: xen-domid-restrict improvements Ian Jackson
2018-03-08 19:02 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:02 ` [PATCH 01/12] checkpatch: Add xendevicemodel_handle to the list of types Ian Jackson
2018-03-08 19:02 ` [Qemu-devel] " Ian Jackson
2018-03-13 15:11 ` Paolo Bonzini
2018-03-13 15:11 ` [Qemu-devel] " Paolo Bonzini
2018-03-26 13:58 ` Ian Jackson
2018-03-26 13:58 ` [Qemu-devel] " Ian Jackson
2018-04-19 16:32 ` Ian Jackson
2018-04-19 16:32 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:02 ` [PATCH 02/12] xen: link against xentoolcore Ian Jackson
2018-03-08 19:02 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:02 ` [PATCH 03/12] xen: restrict: use xentoolcore_restrict_all Ian Jackson
2018-03-08 19:02 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:02 ` [PATCH 04/12] xen: defer call to xen_restrict until just before os_setup_post Ian Jackson
2018-03-08 19:02 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:03 ` [PATCH 05/12] xen: destroy_hvm_domain: Move reason into a variable Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:03 ` [PATCH 06/12] xen: move xc_interface compatibility fallback further up the file Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:03 ` [PATCH 07/12] xen: destroy_hvm_domain: Try xendevicemodel_shutdown Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:03 ` [PATCH 08/12] os-posix: Provide new -runas <uid>:<gid> facility Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-04-13 15:51 ` Markus Armbruster
2018-04-13 15:51 ` Markus Armbruster
2018-04-16 14:06 ` Ian Jackson
2018-04-16 14:06 ` Ian Jackson
2018-04-16 16:17 ` Markus Armbruster [this message]
2018-04-16 16:17 ` Markus Armbruster
2018-04-16 17:00 ` Ian Jackson
2018-04-16 17:00 ` Ian Jackson
2018-04-16 18:06 ` Markus Armbruster
2018-04-16 18:06 ` Markus Armbruster
2018-03-08 19:03 ` [PATCH 09/12] configure: do_compiler: Dump some extra info under bash Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:03 ` [PATCH 10/12] xen: Use newly added dmops for mapping VGA memory Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-03-09 15:44 ` Anthony PERARD
2018-03-09 15:44 ` [Qemu-devel] " Anthony PERARD
2018-03-09 16:12 ` Ian Jackson
2018-03-09 16:12 ` [Qemu-devel] " Ian Jackson
2018-03-09 16:13 ` Ian Jackson
2018-03-09 16:13 ` [Qemu-devel] " Ian Jackson
2018-03-08 19:03 ` [PATCH 11/12] xen: Expect xenstore write to fail when restricted Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-03-09 15:46 ` Anthony PERARD
2018-03-09 15:46 ` [Qemu-devel] " Anthony PERARD
2018-03-08 19:03 ` [PATCH 12/12] scripts/get_maintainer.pl: Print proper error message for missing $file Ian Jackson
2018-03-08 19:03 ` [Qemu-devel] " Ian Jackson
2018-03-13 15:11 ` Paolo Bonzini
2018-03-13 15:11 ` [Qemu-devel] " Paolo Bonzini
2018-03-09 16:20 ` [PATCH v6.1 00/11] xen: xen-domid-restrict improvements Ian Jackson
2018-03-09 16:20 ` [Qemu-devel] " Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tvsbm8gl.fsf@dusky.pond.sub.org \
--to=armbru@redhat.com \
--cc=anthony.perard@citrix.com \
--cc=ian.jackson@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jgross@suse.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=ross.lagerwall@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.