[Libosinfo] Handling `http://` calls with sudo/su
Daniel P. Berrangé
berrange at redhat.com
Wed May 22 09:25:05 UTC 2019
On Wed, May 22, 2019 at 11:00:04AM +0200, Fabiano Fidêncio wrote:
> People,
>
> https://gitlab.com/libosinfo/libosinfo/issues/30 brought up an
> interesting fact that I wasn't aware of and may have some negative
> impact on libosinfo consumers.
>
> Basically, GVfs requires access to the session bus (which, by deafult,
> is private and does not accept connections of any other user apart
> from the one that owns the bus), causing any call made to
> `osinfo_{tree,media}_create_from_location()` and any operation of
> osinfo-db-import and osinfo-detect relying on gvfsd-http to *not* work
> when called using sudo/su.
>
> Cole already stated that it could be blocker for virt-install to every
> fully depend on libosinfo as `sudo virt-install ...` should just work.
>
> Now, what are the options we have? (No, this is not a rethorical question ...)
>
> There are a few things that come to my mind:
> - Stop relying on GVfs for anything that's not local and implement the
> `http://` on our side;
Reluctantly that is probably the best option we have :-(
> - Drop the privileges when calling libosinfo APIs that are known for
> relying on GVfs, as suggested by Ondrej Holy
> - This would have to be done by each app consuming libosinfo APIs,
> doesn't sound like the most appealing thing to do, even if possible to
> implement properly
I think playing this kind of game will forever be a source of hard
to diagnose bugs.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the Libosinfo
mailing list