On Thu, Mar 20, 2008 at 04:16:00PM +0800, Tim Post wrote:
> On Thu, 2008-03-20 at 17:05 +1100, Rusty Russell wrote:
>> + snprintf(memfile_path, PATH_MAX, "%s/.lguest",
>> getenv("HOME") ?: "");
> Hi Rusty,
> Is that safe if being run via setuid/gid or shared root? It might be
> better to just look it up in /etc/passwd against the real UID,
> considering that anyone can change (or null) that env string.
> Of course its also practical to just say "DON'T RUN LGUEST AS
> SETUID/GID". Even if you say that, someone will do it. You might also
> add beware of sudoers.
> For people (like myself and lab mates) who are forced to share machines,
> it could breed a whole new strain of practical jokes :)
I'm not sure I see the risk here. Surely not "anyone" can modify your
environment variables out from under you?
Are you worried that other root users are going to point root's .lguest
directory somewhere else, but not the non-root user's directory?
I fear I'm missing something here...
There _is_ an issue I hadn't thought of at the time, which is if your
$HOME is on shared media, and you clash PIDs between lguest launchers on
two machines sharing that media as $HOME, you're going to clash
memfiles, specifically truncating the earlier memfile.
(Sorry for the double-up, lguest list. I hit send too quickly)
--
-----------------------------------------------------------
Paul "TBBle" Hampson, B.Sc, LPI, MCSE
Very-later-year Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]
Of course Pacman didn't influence us as kids. If it did,
we'd be running around in darkened rooms, popping pills and
listening to repetitive music.
-- Kristian Wilson, Nintendo, Inc, 1989
License: http://creativecommons.org/licenses/by/2.1/au/
-----------------------------------------------------------
pgp0IB4uev1kE.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ kvm-devel mailing list kvm-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/kvm-devel
