[libvirt] [PATCH] Allow execute access to /var/lib/libvirt/qemu/ for others

Martin Kletzander mkletzan at redhat.com
Wed Sep 9 06:46:02 UTC 2015

On Tue, Sep 08, 2015 at 08:49:16PM +0200, Jiri Denemark wrote:
>On Tue, Sep 08, 2015 at 19:07:09 +0200, Martin Kletzander wrote:
>> Commit f1f68ca33433 tried fixing running multiple domains under various
>> users, but if the user can't browse the directory, it's hard for the
>> qemu running under that user to create the monitor socket.
>> The permissions need to be fixed in two places due to support for both
>> installations with and without driver modules.
>> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886
>> Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
>> ---
>> This is not a problem for non-rpm installs because normal make install
>> will not change the permissions, it will just create the directory, so
>> it has 0755, but that difference is not something I'm trying to fix in
>> this patch.
>>  libvirt.spec.in | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>> diff --git a/libvirt.spec.in b/libvirt.spec.in
>> index bb8bfc3c25c1..48461e865dc8 100644
>> --- a/libvirt.spec.in
>> +++ b/libvirt.spec.in
>> @@ -2002,7 +2002,7 @@ exit 0
>>  %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
>>  %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
>>  %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
>> -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
>> +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
>Seems OK, but are we sure every file created in that directory uses 007
>mask? Otherwise, we would be opening a hole here...

To be honest I haven't checked that.  I'm relying on the fact that
RPM-based installations are the only ones that get their permissions
for others cut down, hence all normal installations would be broken
already.  Looking at the monitor socket for example, it might've been
a problem, but it's pre-existing to this patch (again, for
non-RPM-based installations).  We could fix this by restricting the
per-VM directories' permissions when creating them.  There's also one
more problem, that the default permissions are also 755 for channels,
that should be fixed as well, it it really is a problem now.
Although, if using SELinux, I think the problem is either not there or
way less problematic.

What's your view on that?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150909/f65d239d/attachment-0001.sig>

More information about the libvir-list mailing list