From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from imap.gmail.com [173.194.76.109]
	by localhost with POP3 (fetchmail-6.3.26)
	for <sbrivio@localhost> (single-drop); Thu, 23 May 2024 03:48:54 +0200 (CEST)
Received: by 2002:a05:6a11:2489:b0:55f:c3c0:ed08 with SMTP id sg9csp1026647pxb;
        Wed, 22 May 2024 18:48:34 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCW6BywMpYxx5RDVM91XDX2wJkjjq+uVAtJYSdBeUTLf4QGtRJuz0J10ub6OGaygSoGJIRt0iNJqixPg3qgddMptg1v3t+72GlQ=
X-Google-Smtp-Source: AGHT+IHxfHTkEKkEpQjadIiKzdkW055aSQlw51+W0Yb9aVoNKlvFCjo6WTtKrwKnNnHYJwTJMVdc
X-Received: by 2002:ac8:5a10:0:b0:43a:e5b1:c8 with SMTP id d75a77b69052e-43f9e171328mr35857811cf.58.1716428914215;
        Wed, 22 May 2024 18:48:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1716428914; cv=none;
        d=google.com; s=arc-20160816;
        b=ot/F7yMo+NxbuqldQyvmKL6yZL54kZpwv7PdO+z3d6cz5k8BlFrRHHGfJ3qn0JOU7g
         6SbHmWCHL9r394QERqXFkSwtxLhZdhuiacj6u92tB+DZ/UzbfoNu/GdXfqe1apM9S3S3
         40bHNrt3RLu6GgzNLpEbGlkAugNX64GvS0NygsE+NRVAKOfHygtSjEv7MFcgS+ecPIU+
         mppjMNnpElz0HEArUY60TCyqlwWweq/R8s2QE0h5reowMcQtaAbGNQd56IDglJW2nsT9
         PXBPf7rLR2ZNQ5fX0mczalS9s0/2QcOYJJbd67OzT/OiWWcCe89AxFO/mgcxEETHUCE/
         kgJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:dkim-signature:delivered-to;
        bh=doU8NCECWb5z8qDfdGYpyk0jx2miBuEqtELx+VqU7Fc=;
        fh=xYkst1351HdxJpVn+aDOJfMAHrKlAdcbZbZgF6iSq8Q=;
        b=o+agYyVJPKgimP5Qyfrs5YkVWRImusG8g0rgMsfymVkYsMm9JAOMeAZAyLSt2cc/fN
         5qHw7ysUBS2l6wQ3Za2CZwOy3DYhHlQtAJNQU4e9I6vAYjkcuhl1dTgSmwVFUOIY/ZaH
         c9znwk9brWC+pQ8aM1roYGzK6oM279LsXhp11pHCKQcxW3b5jwJpetn9SPD882UdzN9p
         9H/+CA4oUhIV1uSuWgD3mS0yuE1Mc9MhH8E10MpBvN9BK9c47+k41kRizdvC2+kP7O8s
         iQNu6OPtX6euVUNhO4yRUETbCRGsdl2VtmwreqePUE7dUJmQaneovc2pEXLJ1LO/mqwv
         i45Q==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@gibson.dropbear.id.au header.s=202312 header.b=AENL2o3U;
       spf=pass (google.com: domain of dgibson@gandalf.ozlabs.org designates 150.107.74.76 as permitted sender) smtp.mailfrom=dgibson@gandalf.ozlabs.org
Return-Path: <dgibson@gandalf.ozlabs.org>
Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com. [170.10.128.131])
        by mx.google.com with ESMTPS id d75a77b69052e-43df566f89esi44066321cf.308.2024.05.22.18.48.32
        for <sbrivio@gapps.redhat.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 May 2024 18:48:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of dgibson@gandalf.ozlabs.org designates 150.107.74.76 as permitted sender) client-ip=150.107.74.76;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@gibson.dropbear.id.au header.s=202312 header.b=AENL2o3U;
       spf=pass (google.com: domain of dgibson@gandalf.ozlabs.org designates 150.107.74.76 as permitted sender) smtp.mailfrom=dgibson@gandalf.ozlabs.org
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-275-FLnvmWEiNmaWepjj-dowow-1; Wed,
 22 May 2024 21:48:31 -0400
X-MC-Unique: FLnvmWEiNmaWepjj-dowow-1
Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 9EDD71956088
	for <sbrivio@gapps.redhat.com>; Thu, 23 May 2024 01:48:30 +0000 (UTC)
Received: by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix)
	id 8F66C194328D; Thu, 23 May 2024 01:48:30 +0000 (UTC)
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.23])
	by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8CD3F194328B
	for <sbrivio@redhat.com>; Thu, 23 May 2024 01:48:30 +0000 (UTC)
Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [170.10.128.131])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3565E1955E7A
	for <sbrivio@redhat.com>; Thu, 23 May 2024 01:48:30 +0000 (UTC)
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-17-IF-_ywa-ND6NoSlO66fXAA-1; Wed,
 22 May 2024 21:48:26 -0400
X-MC-Unique: IF-_ywa-ND6NoSlO66fXAA-1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202312; t=1716428901;
	bh=doU8NCECWb5z8qDfdGYpyk0jx2miBuEqtELx+VqU7Fc=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=AENL2o3U8vI+YiQsrn+X0TIo5SZGxr2JYVUEi4dfht5mGEjK13hs+3PNg8eTu3G8L
	 g18bNTtBV93PL8KZEjhdYkLSFoEBwkwIdb/MpzUFqWsQl7vZDbWvWfFFA2cIWzonwr
	 uw4lXgcHVN3AzQj6IWTDujDz2enEu6f85hc1zMf5ZH3uaOReyyygubRxzltzBZh2lV
	 flR9wAqg0rX0XCoCL7Q/DsakfQO5QgBi7Si+Uhu8PKS2mXb4CXjj0sVVTZmYRw7FZA
	 F+T/wcMcjdWfxOQaEtRCAzlzXyBpHFpexevUzkQN64hCWT2MMWol14PBzh1/4+TbhT
	 FreCQRNL6cZTg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4VlB0475Bpz4wqM; Thu, 23 May 2024 11:48:20 +1000 (AEST)
Date: Thu, 23 May 2024 11:45:38 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Stefano Brivio <sbrivio@redhat.com>
Cc: passt-dev@passt.top, "'Richard W . M . Jones'" <rjones@redhat.com>,
	Minxi Hou <mhou@redhat.com>
Subject: Re: [PATCH 1/8] conf: Don't lecture user about starting us as root
Message-ID: <Zk6fwvx-SbVLe4Nb@zatzit>
References: <20240522205911.261325-1-sbrivio@redhat.com>
 <20240522205911.261325-2-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="nFYMVbHL4SGDMpwC"
Content-Disposition: inline
In-Reply-To: <20240522205911.261325-2-sbrivio@redhat.com>
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
List-Id: <passt-dev.passt.top>


--nFYMVbHL4SGDMpwC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 22, 2024 at 10:59:04PM +0200, Stefano Brivio wrote:
> libguestfs tools have a good reason to run as root: if the guest image
> is owned by root, it would be counterproductive to encourage users to
> invoke them as non-root, as it would require changing permissions or
> ownership of the image file.
>=20
> And if they run as root, we'll start as root, too. Warn users we'll
> switch to 'nobody', but don't tell them what to do.
>=20
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

> ---
>  conf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>=20
> diff --git a/conf.c b/conf.c
> index 21d46fe..2e0d909 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -1093,7 +1093,7 @@ static void conf_ugid(char *runas, uid_t *uid, gid_=
t *gid)
>  		return;
> =20
>  	/* ...otherwise use nobody:nobody */
> -	warn("Don't run as root. Changing to nobody...");
> +	warn("Started as root. Changing to nobody...");
>  	{
>  #ifndef GLIBC_NO_STATIC_NSS
>  		const struct passwd *pw;

--=20
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

--nFYMVbHL4SGDMpwC
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmZOn70ACgkQzQJF27ox
2Gcf2A/+M4ha/AYTYeCdtJACvA6N2ld1C0ZNap8KEmkU/AhusfNLBaPEMxDXwuhC
OAHxjihd9WSgBJasmz2vMHSvoKkiTdz1Eiz8tytbCWK5XgM3MVTOx6KrMiEwXJrr
q+AkG2CXroKdSOPjBB3c4P3i7/ajpW7xyilQeRQr3IUJbMGKhA9vUbIdTCCY4i9R
dYJdiWDv2UB7Gs0pbBbrInJ4EG6oqeInTuhk6dqoMmIyGeeZxTDXWZX0PzCWT2Ce
xBfjDgQZI3HOgLHTbflDt6PiQuBf8uIHrUg/oXJ7i4AfzgZbXmMmx/u/BKaMXtdf
brj2zgbXj11jly9GdlOTKmz/+bzQKOIIMfsZclx153yyq31KdNwSl+d9GiXTJE26
djUUSDptiu+j+9P6TP94O7II+5tqj+SI+gKqnBz/oW7Dr2XWPcUcmoazA8053dEN
428lDoJz1DNrghRfzGIEl89CX2w3QTiSbcSwaYNna09A4AGPl9w5nQCus6GsI9p8
50S6AbLClOumZllaLz2Ryj3It6iwgTVH3HC3xevDTpbBzkNJpk95tIyZzAo7/RA8
n4IddeufosGxaN6Btdbj7UhqhHlP1KNl6drOS9joL8WNQYQyrDbrs4DEojbpu5km
p2BneKbio1uA+khdDGveBoUz8oLqfJ5dmaTMxzLE9Ms4PFrn8Ow=
=7zOT
-----END PGP SIGNATURE-----

--nFYMVbHL4SGDMpwC--