Questions about the ownership of /var/cache/libvirt/qemu

Michal Prívozník mprivozn at
Mon Aug 23 07:57:14 UTC 2021

On 8/22/21 11:49 AM, Peng Liang wrote:
> Hi all,
>   When we change the user for QEMU process (change "user" and "group" in
> /etc/libvirt/qemu.conf) to a normal user, we found that libvirtd will
> also change the ownership of /var/cache/libvirt/qemu but will keep the
> ownership of /var/cache/libvirt/qemu/capabilities as root.
>   Is it secure to put files/directories owned by root in a directory
> owned by a normal user?  Could the normal user replace the root's file
> with a new one?  

No, the capabilities directory lacks write perms:

drwxr-xr-x 2 root root 234 Aug 20 17:11

and caps files themselves are RW by root only:

-rw------- 1 root root 144215 Aug 20 15:38

Therefore, I don't think a regular user could spoof capabilities.

> Does it need to set sticky bit on
> /var/cache/libvirt/qemu or keep the ownership of /var/cache/libvirt/qemu
> as root?

No, setting sticky bit would make caps files owned by root:group and I
don't think we want that (even though, not even group can write caps files).

I hope this answers your concern.


More information about the libvir-list mailing list