George Dunlap writes ("Re: [PATCH 9/9] libxl: Kill QEMU with "reaper" ruid"):
> On Nov 28, 2018, at 5:02 PM, Ian Jackson wrote:
> > Also I think you need to handle errors properly ? Ie set and check
> > errno.
>
> Don’t I want to pass up the errno values set by the getpwnam functions?
By `set'
> On Nov 28, 2018, at 6:33 PM, George Dunlap wrote:
>
>>> -ret = setresuid(dm_uid, dm_uid, 0);
>>> +fd = open(lockfile, O_RDWR|O_CREAT, 0666);
>>> +if (fd < 0) {
>>> +/* All other errno: EBADF, EINVAL, ENOLCK, EWOULDBLOCK */
>>> +LOGED(ERROR,
> On Nov 28, 2018, at 5:02 PM, Ian Jackson wrote:
>
> George Dunlap writes ("[PATCH 9/9] libxl: Kill QEMU with "reaper" ruid"):
>> Using kill(-1) to killing an untrusted dm process with the real uid
>> equal to the dm_uid isn't guaranteed to succeed: the process in
>> question may be able to
George Dunlap writes ("[PATCH 9/9] libxl: Kill QEMU with "reaper" ruid"):
> Using kill(-1) to killing an untrusted dm process with the real uid
> equal to the dm_uid isn't guaranteed to succeed: the process in
> question may be able to kill the reaper process after the setresuid()
> and before the
Using kill(-1) to killing an untrusted dm process with the real uid
equal to the dm_uid isn't guaranteed to succeed: the process in
question may be able to kill the reaper process after the setresuid()
and before the kill().
Instead, set the real uid to the QEMU user for domain 0