Jean-Pierre Ribeauville
2016-Feb-04 13:42 UTC
[libvirt-users] libvirt.so is not safe to use from setuid programs
Hi, When trying to connect the HyperVisor from a binary having setuid bit set , then I got following error: Unable to perform virConnectOpenReadOnly function error(internal error: libvirt.so is not safe to use from setuid programs) My test software config is the following : -rwsr-xr-x. 1 root root 3374956 Feb 4 13:45 test As this test software needs S bit to be able to access O.S. metrics counters , how may I use it to retrieve KVM metrics counters ? Thx for help. J.P. Ribeauville P: +33.(0).1.47.17.20.49 . Puteaux 3 Etage 5 Bureau 4 jpribeauville@axway.com<mailto:jpribeauville@axway.com> http://www.axway.com<http://www.axway.com/> P Pensez à l'environnement avant d'imprimer.
Daniel P. Berrange
2016-Feb-04 14:03 UTC
Re: [libvirt-users] libvirt.so is not safe to use from setuid programs
On Thu, Feb 04, 2016 at 01:42:12PM +0000, Jean-Pierre Ribeauville wrote:> Hi, > > > When trying to connect the HyperVisor from a binary > having setuid bit set , then I got following error: > > Unable to perform virConnectOpenReadOnly function error(internal > error: libvirt.so is not safe to use from setuid programs) > > My test software config is the following : > > > -rwsr-xr-x. 1 root root 3374956 Feb 4 13:45 test > > As this test software needs S bit to be able to access O.S. > metrics counters , how may I use it to retrieve KVM metrics > counters ?You should re-write your app so that it does not need to have the setuid be present for everything it does. Create a tiny self-contained executable for *only* accessing OS metrics counters, so that bit can run setuid, and the main bulk of your app can run unprivileged. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|