For more description see patch 3. Long story short, if the bridge helper runs
with SUID, the mechanism we rely on (DAC denying access to ACL files) does not
work.
Michal Privoznik (3):
qemu-bridge-helper: Reverse return value setting logic
qemu-bridge-helper: Reverse return value setting logic in
parse_acl_file
qemu-bridge-helper: Take ACL file gid into account
qemu-bridge-helper.c | 79 ++++++++++++++++++++++++++++------------------------
1 file changed, 42 insertions(+), 37 deletions(-)
--
2.13.0
On 05/30/2017 10:23 AM, Michal Privoznik wrote: > For more description see patch 3. Long story short, if the bridge helper runs > with SUID, the mechanism we rely on (DAC denying access to ACL files) does not > work. > > Michal Privoznik (3): > qemu-bridge-helper: Reverse return value setting logic > qemu-bridge-helper: Reverse return value setting logic in > parse_acl_file > qemu-bridge-helper: Take ACL file gid into account > > qemu-bridge-helper.c | 79 ++++++++++++++++++++++++++++------------------------ > 1 file changed, 42 insertions(+), 37 deletions(-) > ping? Michal
On 06/22/2017 05:58 PM, Michal Privoznik wrote: > On 05/30/2017 10:23 AM, Michal Privoznik wrote: >> For more description see patch 3. Long story short, if the bridge helper runs >> with SUID, the mechanism we rely on (DAC denying access to ACL files) does not >> work. >> >> Michal Privoznik (3): >> qemu-bridge-helper: Reverse return value setting logic >> qemu-bridge-helper: Reverse return value setting logic in >> parse_acl_file >> qemu-bridge-helper: Take ACL file gid into account >> >> qemu-bridge-helper.c | 79 ++++++++++++++++++++++++++++------------------------ >> 1 file changed, 42 insertions(+), 37 deletions(-) >> > > ping? > ping^2? Michal
On Tue, Jul 11, 2017 at 03:10:43PM +0200, Michal Privoznik wrote: > On 06/22/2017 05:58 PM, Michal Privoznik wrote: > > On 05/30/2017 10:23 AM, Michal Privoznik wrote: > >> For more description see patch 3. Long story short, if the bridge helper runs > >> with SUID, the mechanism we rely on (DAC denying access to ACL files) does not > >> work. > >> > >> Michal Privoznik (3): > >> qemu-bridge-helper: Reverse return value setting logic > >> qemu-bridge-helper: Reverse return value setting logic in > >> parse_acl_file > >> qemu-bridge-helper: Take ACL file gid into account > >> > >> qemu-bridge-helper.c | 79 ++++++++++++++++++++++++++++------------------------ > >> 1 file changed, 42 insertions(+), 37 deletions(-) > >> > > > > ping? > > > > ping^2? Sigh, this is one of the files for which we have no nominated maintainer listed, so it easily falls through the cracks. Since this is network related, I wonder if Jason should be listed in the MAINTAINERS file for this. Or perhaps we should move the qemu-bridge-helper.c file into the net/ sub-directory instead ? Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 2017年07月11日 22:54, Daniel P. Berrange wrote: > On Tue, Jul 11, 2017 at 03:10:43PM +0200, Michal Privoznik wrote: >> On 06/22/2017 05:58 PM, Michal Privoznik wrote: >>> On 05/30/2017 10:23 AM, Michal Privoznik wrote: >>>> For more description see patch 3. Long story short, if the bridge helper runs >>>> with SUID, the mechanism we rely on (DAC denying access to ACL files) does not >>>> work. >>>> >>>> Michal Privoznik (3): >>>> qemu-bridge-helper: Reverse return value setting logic >>>> qemu-bridge-helper: Reverse return value setting logic in >>>> parse_acl_file >>>> qemu-bridge-helper: Take ACL file gid into account >>>> >>>> qemu-bridge-helper.c | 79 ++++++++++++++++++++++++++++------------------------ >>>> 1 file changed, 42 insertions(+), 37 deletions(-) >>>> >>> ping? >>> >> ping^2? Applied. > Sigh, this is one of the files for which we have no nominated maintainer > listed, so it easily falls through the cracks. > > Since this is network related, I wonder if Jason should be listed in the > MAINTAINERS file for this. Or perhaps we should move the qemu-bridge-helper.c > file into the net/ sub-directory instead ? Let me claim this in MAINTAINERS. Thanks > > Regards, > Daniel
On 2017年07月14日 15:31, Jason Wang wrote: > > > On 2017年07月11日 22:54, Daniel P. Berrange wrote: >> On Tue, Jul 11, 2017 at 03:10:43PM +0200, Michal Privoznik wrote: >>> On 06/22/2017 05:58 PM, Michal Privoznik wrote: >>>> On 05/30/2017 10:23 AM, Michal Privoznik wrote: >>>>> For more description see patch 3. Long story short, if the bridge >>>>> helper runs >>>>> with SUID, the mechanism we rely on (DAC denying access to ACL >>>>> files) does not >>>>> work. >>>>> >>>>> Michal Privoznik (3): >>>>> qemu-bridge-helper: Reverse return value setting logic >>>>> qemu-bridge-helper: Reverse return value setting logic in >>>>> parse_acl_file >>>>> qemu-bridge-helper: Take ACL file gid into account >>>>> >>>>> qemu-bridge-helper.c | 79 >>>>> ++++++++++++++++++++++++++++------------------------ >>>>> 1 file changed, 42 insertions(+), 37 deletions(-) >>>>> >>>> ping? >>>> >>> ping^2? > > Applied. Just notice Daniel's comment. Michal, can you please address that? Thanks > >> Sigh, this is one of the files for which we have no nominated maintainer >> listed, so it easily falls through the cracks. >> >> Since this is network related, I wonder if Jason should be listed in the >> MAINTAINERS file for this. Or perhaps we should move the >> qemu-bridge-helper.c >> file into the net/ sub-directory instead ? > > Let me claim this in MAINTAINERS. > > Thanks > >> >> Regards, >> Daniel > >
© 2016 - 2026 Red Hat, Inc.