On 01/07/2011 05:30 AM, Jiri Denemark wrote:
>> Setting unix_sock_group to something else than default
"root" in
>> /etc/libvirt/libvirtd.conf prevents system libvirtd from dumping core on
>> crash. This is because we used setgid(unix_sock_group) before binding to
>> /var/run/libvirt/libvirt-sock* and setgid() back to original group.
>> However, if a process changes its effective or filesystem group ID, it
>> will be forbidden from leaving core dumps unless fs.suid_dumpable sysctl
>> is set to something else then 0 (and it is 0 by default).
>>
>> Changing socket's group ownership after bind works better. And we can do
>> so without introducing a race condition since we loosen access rights by
>> changing the group from root to something else.
>
> If you use fchown(sock->fd) then you avoid any possible race issues.
Except that it doesn't work. That was the first thing I tried but fchown()
doesn't seem to work on unix sockets. The socket will still ended up with
root:root ownership regardless on where I put fchown() -- either before bind()
to avoid race issues or after it, which wouldn't be any better than chown().
POSIX states that fchown() on pipes and sockets is allowed (but not
required) to fail with EINVAL. I think it's a POSIX-compliance bug in
the Linux kernel that it silently succeeds but ignores the change
request, but to be truly portable, we have to use chown() rather than
fchown() to avoid falling foul of the undefined behavior in the first
place (whether or not we can convince kernel folks to either make
fchown() fail with EINVAL or succeed at doing what we want).
So, I don't see any other alternatives, and your patch looks like the
way to go. ACK as-is.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library
http://libvirt.org