Re: [libvirt] [PATCH] storage: Default pool permission mode to 0711

On 2012年06月19日 00:24, Eric Blake wrote: The difference is 755 allows the group users and others to inspect what the images are and their permissions in the pool. The side effect what I can think of is: % ls -l /var/lib/libvirt/images/ -rw-r--r--. 1 root root 1048576 6月 18 14:34 attch.img -rw-r--r--. 1 root root 1048576 6月 14 17:38 foo2.img -rw-r--r--. 1 root root 1048576 6月 14 17:33 foo.img -rw-rw-rw-. 1 root root 0 6月 21 11:31 local.img % > /var/lib/libvirt/images/local.img I.e, if one can check the files in the pool, and the vols have write permission for group users/others exposed, then it can be easily damaged. However, one can destroy the vols data anyway even with 711, though one should known the filename of the target vol first, e.g. % ls -ld /var/lib/libvirt/images/ drwx--x--x. 2 root root 4096 Jun 18 14:34 /var/lib/libvirt/images/ % stat /var/lib/libvirt/images/local.img File: `/var/lib/libvirt/images/local.img' Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 808h/2056d Inode: 1054167 Links: 1 Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:virt_image_t:s0 Access: 2012-06-21 11:39:41.928284645 +0800 Modify: 2012-06-21 11:31:11.948457979 +0800 Change: 2012-06-21 11:38:58.948639333 +0800 Birth: - % > /var/lib/libvirt/images/local.img % So from my p.o.v, 711 is better choice, at least it's not that easy for the group users/others to get the file names in the pool. Regards, Osier