lguest: --username and --chroot options
I've attached a patch which implements dropping to privileges and chrooting to a directory. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This commit is contained in:
Philip Sanderson
Rusty Russell
parent
8a335bc631
commit
8aeb36e8f6
|
|
@ -39,6 +39,9 @@
|
|||
#include <limits.h>
|
||||
#include <stddef.h>
|
||||
#include <signal.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
|
||||
#include <linux/virtio_config.h>
|
||||
#include <linux/virtio_net.h>
|
||||
#include <linux/virtio_blk.h>
|
||||
|
|
@ -1872,6 +1875,8 @@ static struct option opts[] = {
|
|||
{ "block", 1, NULL, 'b' },
|
||||
{ "rng", 0, NULL, 'r' },
|
||||
{ "initrd", 1, NULL, 'i' },
|
||||
{ "username", 1, NULL, 'u' },
|
||||
{ "chroot", 1, NULL, 'c' },
|
||||
{ NULL },
|
||||
};
|
||||
static void usage(void)
|
||||
|
|
@ -1894,6 +1899,12 @@ int main(int argc, char *argv[])
|
|||
/* If they specify an initrd file to load. */
|
||||
const char *initrd_name = NULL;
|
||||
|
||||
/* Password structure for initgroups/setres[gu]id */
|
||||
struct passwd *user_details = NULL;
|
||||
|
||||
/* Directory to chroot to */
|
||||
char *chroot_path = NULL;
|
||||
|
||||
/* Save the args: we "reboot" by execing ourselves again. */
|
||||
main_args = argv;
|
||||
|
||||
|
|
@ -1950,6 +1961,14 @@ int main(int argc, char *argv[])
|
|||
case 'i':
|
||||
initrd_name = optarg;
|
||||
break;
|
||||
case 'u':
|
||||
user_details = getpwnam(optarg);
|
||||
if (!user_details)
|
||||
err(1, "getpwnam failed, incorrect username?");
|
||||
break;
|
||||
case 'c':
|
||||
chroot_path = optarg;
|
||||
break;
|
||||
default:
|
||||
warnx("Unknown argument %s", argv[optind]);
|
||||
usage();
|
||||
|
|
@ -2021,6 +2040,37 @@ int main(int argc, char *argv[])
|
|||
/* If we exit via err(), this kills all the threads, restores tty. */
|
||||
atexit(cleanup_devices);
|
||||
|
||||
/* If requested, chroot to a directory */
|
||||
if (chroot_path) {
|
||||
if (chroot(chroot_path) != 0)
|
||||
err(1, "chroot(\"%s\") failed", chroot_path);
|
||||
|
||||
if (chdir("/") != 0)
|
||||
err(1, "chdir(\"/\") failed");
|
||||
|
||||
verbose("chroot done\n");
|
||||
}
|
||||
|
||||
/* If requested, drop privileges */
|
||||
if (user_details) {
|
||||
uid_t u;
|
||||
gid_t g;
|
||||
|
||||
u = user_details->pw_uid;
|
||||
g = user_details->pw_gid;
|
||||
|
||||
if (initgroups(user_details->pw_name, g) != 0)
|
||||
err(1, "initgroups failed");
|
||||
|
||||
if (setresgid(g, g, g) != 0)
|
||||
err(1, "setresgid failed");
|
||||
|
||||
if (setresuid(u, u, u) != 0)
|
||||
err(1, "setresuid failed");
|
||||
|
||||
verbose("Dropping privileges completed\n");
|
||||
}
|
||||
|
||||
/* Finally, run the Guest. This doesn't return. */
|
||||
run_guest();
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue