On Tue, Sep 08, 2015 at 08:49:16PM +0200, Jiri Denemark wrote:
On Tue, Sep 08, 2015 at 19:07:09 +0200, Martin Kletzander wrote:
> Commit f1f68ca33433 tried fixing running multiple domains under various
> users, but if the user can't browse the directory, it's hard for the
> qemu running under that user to create the monitor socket.
>
> The permissions need to be fixed in two places due to support for both
> installations with and without driver modules.
>
> Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1146886
>
> Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
> ---
> This is not a problem for non-rpm installs because normal make install
> will not change the permissions, it will just create the directory, so
> it has 0755, but that difference is not something I'm trying to fix in
> this patch.
>
> libvirt.spec.in | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index bb8bfc3c25c1..48461e865dc8 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -2002,7 +2002,7 @@ exit 0
> %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
> %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
> %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
Seems OK, but are we sure every file created in that directory uses 007
mask? Otherwise, we would be opening a hole here...
To be honest I haven't checked that. I'm relying on the fact that
RPM-based installations are the only ones that get their permissions
for others cut down, hence all normal installations would be broken
already. Looking at the monitor socket for example, it might've been
a problem, but it's pre-existing to this patch (again, for
non-RPM-based installations). We could fix this by restricting the
per-VM directories' permissions when creating them. There's also one
more problem, that the default permissions are also 755 for channels,
that should be fixed as well, it it really is a problem now.
Although, if using SELinux, I think the problem is either not there or
way less problematic.
What's your view on that?
Jirka