[libvirt] [PATCH] storage: use 0711 as the default perms for dirs
Martin Kletzander
mkletzan at redhat.com
Mon May 15 10:55:36 UTC 2017
On Mon, May 15, 2017 at 09:27:38AM +0100, Daniel P. Berrange wrote:
>On Thu, May 11, 2017 at 06:36:22PM -0400, John Ferlan wrote:
>>
>>
>> On 05/11/2017 04:31 AM, Christian Ehrhardt wrote:
>> > From: Serge Hallyn <serge.hallyn at ubuntu.com>
>> >
>> > There should be no need to make dir based pools world readable.
>> > So use 0711, not 0755, as the default perms for storage dirs.
>> >
>> > Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
>> > ---
>> > docs/formatstorage.html.in | 2 +-
>> > src/storage/storage_util.h | 2 +-
>> > 2 files changed, 2 insertions(+), 2 deletions(-)
>> >
>>
>> Kinda surprised this didn't generate some immediate discussion... I
>> would also think that if you had a desire to change defaults you'd also
>> have a libvirt.spec.in adjustment...
>
>Actually no it doesn't - the spec file is already marking
>/var/lib/libvirt/images as 0711.
>
>> Still 0755 or umask(022) seem to be fairly prevalent setting and having
>> the <mode> for the XML to be able to override a default certainly gives
>> credence to arguments in either direction whether or not to change the
>> defaults.
>>
>> It's been a long while since I considered system/directory/file security
>> things, but I have this faint recollection of some strange issue when
>> not having world or group "executable" as a default.
>
>The fact that RPM spec ships with 0711 show that it works ok. So I
>think this change is reasonable.
>
Same here. I'm not sure, but I think even SELinux policy defaulted to
that. Anyway, ACK to this one, I'll push this in a while.
While we're on this, is there some global config for the group in all
these permissions? I would love to add a user to one group and make all
libvirt-related readable for that user with that one simple addition.
>
>Regards,
>Daniel
>--
>|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
>|: https://libvirt.org -o- https://fstop138.berrange.com :|
>|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
>
>--
>libvir-list mailing list
>libvir-list at redhat.com
>https://www.redhat.com/mailman/listinfo/libvir-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170515/5cb891c7/attachment-0001.sig>
More information about the libvir-list
mailing list