Re: [libvirt] PATCH: Fix permissions problem starting QEMU
On Fri, 2009-07-31 at 09:41 +0100, Daniel P. Berrange wrote:
On Fri, Jul 31, 2009 at 09:28:37AM +0100, Mark McLoughlin wrote:
> On Thu, 2009-07-30 at 15:00 +0100, Daniel P. Berrange wrote:
> > There is a minor bug when running QEMU non-root, and having
> > capng enabled. libvirt is unable to write the PID file in
> > /var/run/libvirt/qemu, since its now owned by 'qemu', but
> > libvirtd has dropped all capabilties at this point. The fix
> > is to delay dropping capabilities until after the PID file
> > has been created. We should also be sure to kill the child
> > if writing the PID file fails
>
> I haven't looked into it much yet, but don't we need to open up the
> permissions on /var/lib/libvirt/images now? At least from 700 to 711 so
> qemu can open images?
Hmm, that's a good point, we definitely need to do that. 711 shoudl be
good because that lets us chmod the individual imagges to allow QEMU
user to open them, while not allowing people to list the contents of
the directory
Okay, committing this.
Cheers,
Mark.
From: Mark McLoughlin <markmc(a)redhat.com>
Subject: [PATCH] Set perms on /var/lib/libvirt/images to 0711
Allow qemu user to open images in this dir, but still prevent others
from listing it.
* libvirt.spec.in: set /var/lib/libvirt/images perms to 0711
---
libvirt.spec.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index c295629..fdc2210 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -489,7 +489,7 @@ fi
%dir %{_localstatedir}/run/libvirt/
%dir %{_localstatedir}/lib/libvirt/
-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/images/
+%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/boot/
%dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
--
1.6.2.5