> On Dec 18, 2018, at 3:07 PM, Ian Jackson wrote:
>
>> If we switch the earlier `return 0` in the !dm_restrict conditional to a
>> “goto out”, then this would turn into:
>
> I think setting intended_uid==0 when user==0 is a hostage to fortune.
> Why not set it to (uid_t)-1 ?
>
> Then you
George Dunlap writes ("Re: [PATCH v2 05/10] libxl: Do root checks once in
libxl__domain_get_device_model_uid"):
> On Dec 12, 2018, at 3:45 PM, Ian Jackson wrote:
> >> +/*
> >> + * If dm_restrict isn't set, and we don't have a specified user, don't
> >> + * bother setting a `-runas`
> On Dec 12, 2018, at 3:45 PM, Ian Jackson wrote:
>
> George Dunlap writes ("[PATCH v2 05/10] libxl: Do root checks once in
> libxl__domain_get_device_model_uid"):
>> At the moment, we check for equivalence to literal "root" before
>> deciding whether to add the `runas` command-line option to
George Dunlap writes ("[PATCH v2 05/10] libxl: Do root checks once in
libxl__domain_get_device_model_uid"):
> At the moment, we check for equivalence to literal "root" before
> deciding whether to add the `runas` command-line option to QEMU. This
> is unsatisfactory for several reasons.
...
>
At the moment, we check for equivalence to literal "root" before
deciding whether to add the `runas` command-line option to QEMU. This
is unsatisfactory for several reasons.
First, just because the string doesn't match "root" doesn't mean the
final uid won't end up being zero; in particular, the