[libvirt] [RFC] security_dac: don't chown iso file
Serge Hallyn
serge.hallyn at canonical.com
Wed Oct 5 14:39:12 UTC 2011
Quoting Laine Stump (laine at laine.org):
> On 10/05/2011 06:33 AM, Daniel P. Berrange wrote:
> >On Tue, Oct 04, 2011 at 12:49:03PM -0500, Serge E. Hallyn wrote:
> >>Quoting Serge E. Hallyn (serge.hallyn at canonical.com):
> >>>isos are read-only, so libvirt doesn't need to chown them. In one of
> >>>our testing setups, libvirt uses mirrorred isos. Since libvirt chowns
> >>>the files, (and especially does not chown them back) the mirror refuses
> >>>to update the iso.
> >>>
> >>>This patch prevents libvirt from chowning files.
> >>>
> >>>Does this seem reasonable?
> >>any feedback on this? Does it seem ok?
> >Unfortunately while this would fix the use case you describe, it would
> >also break other use cases.
> >
> >What we really need todo with the DAC driver is replace all the
> >chown() code, with code that sets ACLs instead. Well actually we
> >would need to keep the chown code as a fallback for filesystems
> >which don't support ACLs, but as long as we prefer ACLs by default
> >that'd be OK.
> >
> >Of course when we have ACLs, we'd only need to grant 'r' to the
> >file for CDROMs which would be better than what we do now.
>
>
> In the meantime, I think you can solve the problem with your mirror
> by mounting the share read-only. When the filesystem is read-only,
> libvirt will attempt the chown/chgrp and fail, but notice the
> failure is due to a r/o (or root-squash) filesystem, and ignore the
> failure.
Thanks for the suggestion, Laine. I suspect the dir they're using needs
to be writeable, but I'll ask if it is feasible to use a read-only bind
mount of the directory.
thanks,
-serge
More information about the libvir-list
mailing list