Libvirt-socket-rw and libvirt-socket-ro are not used only for libvirt or root user,<br>but also for unprivileged application such as vdsm,<br>Restrain the rundir only read/search for libvirt prevent comunication<br>with unprivileged client,change rundir the permission equals to the sockets permission. <br>
See bug:<br><a href="https://bugzilla.redhat.com/show_bug.cgi?id=828073" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=828073</a><br>
<br>Signed-off-by: lvroyce <<a href="mailto:lvroyce@linux.vnet.ibm.com" target="_blank">lvroyce@linux.vnet.ibm.com</a>><br>---<br> daemon/libvirtd.c | 2 +-<br> 1 files changed, 1 insertions(+), 1 deletions(-)<br>
<br>diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c<br>
index c74cd43..6095072 100644<br>--- a/daemon/libvirtd.c<br>+++ b/daemon/libvirtd.c<br>@@ -293,7 +293,7 @@ daemonUnixSocketPaths(struct daemonConfig *config,<br> if (!(rundir = virGetUserRuntimeDirectory()))<br>
goto error;<br> <br>- old_umask = umask(077);<br>+ old_umask = umask(022);<br> if (virFileMakePath(rundir) < 0) {<br> umask(old_umask);<br> goto error;