From f0a2171bf9f35b0430e18676a688b2c985f8917a Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Mon, 16 Apr 2018 15:08:03 +0100 Subject: os-posix: cleanup: Replace fprintfs with error_report in change_process_uid I'm going to be editing this function and it makes sense to clean up this style problem in advance. Signed-off-by: Ian Jackson CC: Paolo Bonzini CC: Markus Armbruster CC: Daniel P. Berrange CC: Michael Tokarev Reviewed-by: Peter Maydell Reviewed-by: Thomas Huth --- os-posix.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'os-posix.c') diff --git a/os-posix.c b/os-posix.c index b9c2343b1e..560db955cb 100644 --- a/os-posix.c +++ b/os-posix.c @@ -167,20 +167,20 @@ static void change_process_uid(void) { if (user_pwd) { if (setgid(user_pwd->pw_gid) < 0) { - fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid); + error_report("Failed to setgid(%d)", user_pwd->pw_gid); exit(1); } if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) { - fprintf(stderr, "Failed to initgroups(\"%s\", %d)\n", - user_pwd->pw_name, user_pwd->pw_gid); + error_report("Failed to initgroups(\"%s\", %d)", + user_pwd->pw_name, user_pwd->pw_gid); exit(1); } if (setuid(user_pwd->pw_uid) < 0) { - fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid); + error_report("Failed to setuid(%d)", user_pwd->pw_uid); exit(1); } if (setuid(0) != -1) { - fprintf(stderr, "Dropping privileges failed\n"); + error_report("Dropping privileges failed"); exit(1); } } -- cgit 1.4.1 From 2c42f1e80103cb926c0703d4c1ac1fb9c3e2c600 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Fri, 15 Sep 2017 18:10:44 +0100 Subject: os-posix: Provide new -runas : facility This allows the caller to specify a uid and gid to use, even if there is no corresponding password entry. This will be useful in certain Xen configurations. We don't support just -runas because: (i) deprivileging without calling setgroups would be ineffective (ii) given only a uid we don't know what gid we ought to use (since uids may eppear in multiple passwd file entries with different gids). Signed-off-by: Ian Jackson Reviewed-by: Anthony PERARD CC: Paolo Bonzini CC: Markus Armbruster CC: Daniel P. Berrange CC: Michael Tokarev Reviewed-by: Markus Armbruster --- os-posix.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++--------- qemu-options.hx | 3 ++- 2 files changed, 67 insertions(+), 13 deletions(-) (limited to 'os-posix.c') diff --git a/os-posix.c b/os-posix.c index 560db955cb..0f59566639 100644 --- a/os-posix.c +++ b/os-posix.c @@ -41,7 +41,14 @@ #include #endif -static struct passwd *user_pwd; +/* + * Must set all three of these at once. + * Legal combinations are unset by name by uid + */ +static struct passwd *user_pwd; /* NULL non-NULL NULL */ +static uid_t user_uid = (uid_t)-1; /* -1 -1 >=0 */ +static gid_t user_gid = (gid_t)-1; /* -1 -1 >=0 */ + static const char *chroot_dir; static int daemonize; static int daemon_pipe; @@ -127,6 +134,33 @@ void os_set_proc_name(const char *s) #endif } + +static bool os_parse_runas_uid_gid(const char *optarg) +{ + unsigned long lv; + const char *ep; + uid_t got_uid; + gid_t got_gid; + int rc; + + rc = qemu_strtoul(optarg, &ep, 0, &lv); + got_uid = lv; /* overflow here is ID in C99 */ + if (rc || *ep != ':' || got_uid != lv || got_uid == (uid_t)-1) { + return false; + } + + rc = qemu_strtoul(ep + 1, 0, 0, &lv); + got_gid = lv; /* overflow here is ID in C99 */ + if (rc || got_gid != lv || got_gid == (gid_t)-1) { + return false; + } + + user_pwd = NULL; + user_uid = got_uid; + user_gid = got_gid; + return true; +} + /* * Parse OS specific command line options. * return 0 if option handled, -1 otherwise @@ -144,8 +178,13 @@ void os_parse_cmd_args(int index, const char *optarg) #endif case QEMU_OPTION_runas: user_pwd = getpwnam(optarg); - if (!user_pwd) { - fprintf(stderr, "User \"%s\" doesn't exist\n", optarg); + if (user_pwd) { + user_uid = -1; + user_gid = -1; + } else if (!os_parse_runas_uid_gid(optarg)) { + error_report("User \"%s\" doesn't exist" + " (and is not :)", + optarg); exit(1); } break; @@ -165,18 +204,32 @@ void os_parse_cmd_args(int index, const char *optarg) static void change_process_uid(void) { - if (user_pwd) { - if (setgid(user_pwd->pw_gid) < 0) { - error_report("Failed to setgid(%d)", user_pwd->pw_gid); + assert((user_uid == (uid_t)-1) || user_pwd == NULL); + assert((user_uid == (uid_t)-1) == + (user_gid == (gid_t)-1)); + + if (user_pwd || user_uid != (uid_t)-1) { + gid_t intended_gid = user_pwd ? user_pwd->pw_gid : user_gid; + uid_t intended_uid = user_pwd ? user_pwd->pw_uid : user_uid; + if (setgid(intended_gid) < 0) { + error_report("Failed to setgid(%d)", intended_gid); exit(1); } - if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) { - error_report("Failed to initgroups(\"%s\", %d)", - user_pwd->pw_name, user_pwd->pw_gid); - exit(1); + if (user_pwd) { + if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) { + error_report("Failed to initgroups(\"%s\", %d)", + user_pwd->pw_name, user_pwd->pw_gid); + exit(1); + } + } else { + if (setgroups(1, &user_gid) < 0) { + error_report("Failed to setgroups(1, [%d])", + user_gid); + exit(1); + } } - if (setuid(user_pwd->pw_uid) < 0) { - error_report("Failed to setuid(%d)", user_pwd->pw_uid); + if (setuid(intended_uid) < 0) { + error_report("Failed to setuid(%d)", intended_uid); exit(1); } if (setuid(0) != -1) { diff --git a/qemu-options.hx b/qemu-options.hx index ca4e412f2f..5fbf966292 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3765,7 +3765,8 @@ ETEXI #ifndef _WIN32 DEF("runas", HAS_ARG, QEMU_OPTION_runas, \ - "-runas user change to user id user just before starting the VM\n", + "-runas user change to user id user just before starting the VM\n" \ + " user can be numeric uid:gid instead\n", QEMU_ARCH_ALL) #endif STEXI -- cgit 1.4.1 From 22cd4f4835b2053271e737b1679927b9b8aa4252 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Mon, 16 Apr 2018 15:15:51 +0100 Subject: os-posix: cleanup: Replace fprintf with error_report in remaining call sites MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Ian Jackson CC: Paolo Bonzini CC: Markus Armbruster CC: Daniel P. Berrange CC: Michael Tokarev Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Thomas Huth --- os-posix.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'os-posix.c') diff --git a/os-posix.c b/os-posix.c index 0f59566639..a2ba50d23f 100644 --- a/os-posix.c +++ b/os-posix.c @@ -129,7 +129,7 @@ void os_set_proc_name(const char *s) exit(1); } #else - fprintf(stderr, "Change of process name not supported by your OS\n"); + error_report("Change of process name not supported by your OS"); exit(1); #endif } @@ -243,7 +243,7 @@ static void change_root(void) { if (chroot_dir) { if (chroot(chroot_dir) < 0) { - fprintf(stderr, "chroot failed\n"); + error_report("chroot failed"); exit(1); } if (chdir("/")) { -- cgit 1.4.1 From a7aaec148e27193cc6f7d33d2f18f81eed011a5c Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Mon, 16 Apr 2018 15:16:23 +0100 Subject: os-posix: cleanup: Replace perror with error_report MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit perror() is defined to fprintf(stderr,...). HACKING says fprintf(stderr,...) is wrong. So perror() is too. Signed-off-by: Ian Jackson CC: Paolo Bonzini CC: Markus Armbruster CC: Daniel P. Berrange CC: Michael Tokarev CC: Alistair Francis Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Alistair Francis --- os-posix.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'os-posix.c') diff --git a/os-posix.c b/os-posix.c index a2ba50d23f..24eb7007dc 100644 --- a/os-posix.c +++ b/os-posix.c @@ -125,7 +125,7 @@ void os_set_proc_name(const char *s) /* Could rewrite argv[0] too, but that's a bit more complicated. This simple way is enough for `top'. */ if (prctl(PR_SET_NAME, name)) { - perror("unable to change process name"); + error_report("unable to change process name: %s", strerror(errno)); exit(1); } #else @@ -247,7 +247,7 @@ static void change_root(void) exit(1); } if (chdir("/")) { - perror("not able to chdir to /"); + error_report("not able to chdir to /: %s", strerror(errno)); exit(1); } } @@ -309,7 +309,7 @@ void os_setup_post(void) if (daemonize) { if (chdir("/")) { - perror("not able to chdir to /"); + error_report("not able to chdir to /: %s", strerror(errno)); exit(1); } TFR(fd = qemu_open("/dev/null", O_RDWR)); @@ -383,7 +383,7 @@ int os_mlock(void) ret = mlockall(MCL_CURRENT | MCL_FUTURE); if (ret < 0) { - perror("mlockall"); + error_report("mlockall: %s", strerror(errno)); } return ret; -- cgit 1.4.1