From 7e73746220aacc750c30340e9a960f839baa228e Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Wed, 6 Oct 2021 11:36:25 -0700 Subject: add & propagate :NO-SERVICES connattr and respect in LIBVIRT:STARTED This change was prompted by the realisation that RECONNECTS nullifies any enclosing SERVICE:WITHOUT-STARTING-SERVICES because *HOST* during RECONNECTS is a distinct HOST value, computed at hostattrs time, which can't be affected by an enclosing combinator that works by temporarily pushing hostattrs at :APPLY time. So, for example, if we chroot and subsequently establish a :SETUID connection, properties might try to start services as the non-root user and there is no way for them to know they shouldn't. We can avoid this problem by using a connattr instead because we have a mechanism for propagating connattrs to subsequently established connections. And as in most cases the reason for not starting services is solely due to the way in which we're connecting to the host, a connattr is more appropriate. Signed-off-by: Sean Whitton --- src/connection/chroot.lisp | 4 ++++ src/connection/setuid.lisp | 4 ++++ 2 files changed, 8 insertions(+) (limited to 'src/connection') diff --git a/src/connection/chroot.lisp b/src/connection/chroot.lisp index 5c149e3..8f829d3 100644 --- a/src/connection/chroot.lisp +++ b/src/connection/chroot.lisp @@ -86,6 +86,10 @@ should be the mount point, without the chroot's root prefixed.") ((type (eql :remote-gid)) connattr (connection chroot-connection)) connattr) +(defmethod propagate-connattr + ((type (eql :no-services)) connattr (connection chroot-connection)) + connattr) + ;;;; :CHROOT.FORK diff --git a/src/connection/setuid.lisp b/src/connection/setuid.lisp index 2036146..59b9e67 100644 --- a/src/connection/setuid.lisp +++ b/src/connection/setuid.lisp @@ -65,3 +65,7 @@ user (connection-connattr connection :remote-home)) ;; We are privileged, so this sets the real, effective and saved IDs. (nix:setgid gid) (nix:initgroups user gid) (nix:setuid uid))) + +(defmethod propagate-connattr + ((type (eql :no-services)) connattr (connection setuid-connection)) + connattr) -- cgit v1.2.3