Manpage: Update description of 'user=username' for '-run-with'

[PATCH] Manpage: Update description of 'user=username' for '-run-with'

Posted by Boqiao Fu 4 months, 1 week ago

From: Boqiao Fu <bfu@redhat.com>
Date: Mon, 15 Jul 2024 17:04:32 +0800
Subject: [PATCH] Manpage: Update description of 'user=username' for
 '-run-with'

Manpage: the description of '-runs' didn't show this parameter will use
setuid, so the customer might get confused when 'elevateprivileges=deny' is
used. Since '-runas' is going to be deprecated and replaced by this
parameter in the coming qemu9.1, add the message here.

Signed-off-by: Boqiao Fu <bfu@redhat.com>
---
 qemu-options.hx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index ad6521ef5e..264525ed16 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -5025,7 +5025,8 @@ SRST

     ``user=username`` or ``user=uid:gid`` can be used to drop root
privileges
     by switching to the specified user (via username) or user and group
-    (via uid:gid) immediately before starting guest execution.
+    (via uid:gid) immediately before starting guest execution. Effectively
+    uses the setuid system call to switch to another user id.
 ERST
 #endif

-- 
2.43.0

Re: [PATCH] Manpage: Update description of 'user=username' for '-run-with'

Posted by Paolo Bonzini 4 months, 1 week ago

> Manpage: the description of '-runs' didn't show this parameter will use
> setuid, so the customer might get confused when 'elevateprivileges=deny' is
> used. Since '-runas' is going to be deprecated and replaced by this
> parameter in the coming qemu9.1, add the message here.

Queued, thanks.  I modified the patch a bit to explain how setgid and
setgroups are used in addition to setuid:

diff --git a/qemu-options.hx b/qemu-options.hx
index ad6521ef5e7..694fa37f284 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -5024,8 +5024,11 @@ SRST
     in combination with -runas.

     ``user=username`` or ``user=uid:gid`` can be used to drop root privileges
-    by switching to the specified user (via username) or user and group
-    (via uid:gid) immediately before starting guest execution.
+    before starting guest execution. QEMU will use the ``setuid`` and ``setgid``
+    system calls to switch to the specified identity.  Note that the
+    ``user=username`` syntax will also apply the full set of supplementary
+    groups for the user, whereas the ``user=uid:gid`` will use only the
+    ``gid`` group.

Paolo

Re: [PATCH] Manpage: Update description of 'user=username' for '-run-with'

Posted by Boqiao Fu 4 months, 1 week ago

thanks for your helping

Best,
Boqiao

On Tue, Jul 16, 2024 at 5:00 PM Paolo Bonzini <pbonzini@redhat.com> wrote:

> > Manpage: the description of '-runs' didn't show this parameter will use
> > setuid, so the customer might get confused when 'elevateprivileges=deny'
> is
> > used. Since '-runas' is going to be deprecated and replaced by this
> > parameter in the coming qemu9.1, add the message here.
>
> Queued, thanks.  I modified the patch a bit to explain how setgid and
> setgroups are used in addition to setuid:
>
> diff --git a/qemu-options.hx b/qemu-options.hx
> index ad6521ef5e7..694fa37f284 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -5024,8 +5024,11 @@ SRST
>      in combination with -runas.
>
>      ``user=username`` or ``user=uid:gid`` can be used to drop root
> privileges
> -    by switching to the specified user (via username) or user and group
> -    (via uid:gid) immediately before starting guest execution.
> +    before starting guest execution. QEMU will use the ``setuid`` and
> ``setgid``
> +    system calls to switch to the specified identity.  Note that the
> +    ``user=username`` syntax will also apply the full set of supplementary
> +    groups for the user, whereas the ``user=uid:gid`` will use only the
> +    ``gid`` group.
>
> Paolo
>
>