[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] linux-user: allow to use sudo in guest
From: |
Peter Maydell |
Subject: |
Re: [Qemu-devel] [PATCH] linux-user: allow to use sudo in guest |
Date: |
Wed, 2 Jan 2013 01:16:48 +0000 |
On 20 December 2012 20:56, Laurent Vivier <address@hidden> wrote:
> When qemu-linux-user is used in a linux container or chroot,
> if it needs to load binaries with SUID/SGID bits, it needs to
> have root rights to be able to change UID/GID. To do that, we
> need to install it with SUID bits and root owner.
I suspect a suid qemu binary is a big fat security hole...
> Then, if the SUID bit is not set on the binary to load,
> qemu will set its UID to the saved UID (the current user ID).
>
> To be able to retrieve unsecure environment variables (LD_PRELOAD,
> LD_LIBRARY_PATH) with SUID bit, we need to disable "unsetenv()".
> Otherwise libc unsets these variables before entering in main()
This is basically deliberately disabling a glibc security check.
Needs careful thought and review (which I don't have time for
just now I'm afraid) before this can be committed.
-- PMM