[virt-tools-list] [RFC PATCH 2/2] virt-manager: make cache directories accessible only to the owner
Cole Robinson
crobinso at redhat.com
Tue Nov 5 17:07:11 UTC 2013
On 11/01/2013 12:49 PM, Giuseppe Scrivano wrote:
> There are no reasons to expose cache files to everyone so restrict the
> access to the owner.
>
> Signed-off-by: Giuseppe Scrivano <gscrivan at redhat.com>
> ---
> virtManager/connection.py | 2 +-
> virtManager/domain.py | 2 +-
> virtinst/cli.py | 2 +-
> virtinst/distroinstaller.py | 2 +-
> virtinst/urlfetcher.py | 2 +-
> virtinst/util.py | 2 +-
> 6 files changed, 6 insertions(+), 6 deletions(-)
>
With old enough libvirt, where vol upload isn't available, virt-manager will
download kernel/initrd to the cache dir, and the launched qemu process needs
to access them in place.
virt-manager already has some logic to ask the user if we can fix these
permissions which might do the job here, but I wouldn't want to apply this
patch until its explicitly tested. Easiest is just to leave it as is.
Thanks,
Cole
> diff --git a/virtManager/connection.py b/virtManager/connection.py
> index 313f680..d93fcb2 100644
> --- a/virtManager/connection.py
> +++ b/virtManager/connection.py
> @@ -316,7 +316,7 @@ class vmmConnection(vmmGObject):
> uri = self.get_uri().replace("/", "_")
> ret = os.path.join(util.get_cache_dir(), uri)
> if not os.path.exists(ret):
> - os.makedirs(ret, 0755)
> + os.makedirs(ret, 0700)
> return ret
>
> def get_default_storage_format(self):
> diff --git a/virtManager/domain.py b/virtManager/domain.py
> index b8324d5..bb93166 100644
> --- a/virtManager/domain.py
> +++ b/virtManager/domain.py
> @@ -1649,7 +1649,7 @@ class vmmDomain(vmmLibvirtObject):
> def get_cache_dir(self):
> ret = os.path.join(self.conn.get_cache_dir(), self.get_uuid())
> if not os.path.exists(ret):
> - os.makedirs(ret, 0755)
> + os.makedirs(ret, 0700)
> return ret
>
>
> diff --git a/virtinst/cli.py b/virtinst/cli.py
> index a2add57..e660a5e 100644
> --- a/virtinst/cli.py
> +++ b/virtinst/cli.py
> @@ -155,7 +155,7 @@ def setupLogging(appname, debug_stdout, do_quiet, cli_app=True):
> raise RuntimeError("No write access to directory %s" % vi_dir)
>
> try:
> - os.makedirs(vi_dir, 0751)
> + os.makedirs(vi_dir, 0700)
> except IOError, e:
> raise RuntimeError("Could not create directory %s: %s" %
> (vi_dir, e))
> diff --git a/virtinst/distroinstaller.py b/virtinst/distroinstaller.py
> index 7acabd1..2cd041e 100644
> --- a/virtinst/distroinstaller.py
> +++ b/virtinst/distroinstaller.py
> @@ -227,7 +227,7 @@ def _perform_initrd_injections(initrd, injections, scratchdir):
> return
>
> tempdir = tempfile.mkdtemp(dir=scratchdir)
> - os.chmod(tempdir, 0775)
> + os.chmod(tempdir, 0700)
>
> for filename in injections:
> logging.debug("Copying %s to the initrd.", filename)
> diff --git a/virtinst/urlfetcher.py b/virtinst/urlfetcher.py
> index a31d7de..5a1d4eb 100644
> --- a/virtinst/urlfetcher.py
> +++ b/virtinst/urlfetcher.py
> @@ -62,7 +62,7 @@ class _ImageFetcher(object):
>
> def saveTemp(self, fileobj, prefix):
> if not os.path.exists(self.scratchdir):
> - os.makedirs(self.scratchdir, 0750)
> + os.makedirs(self.scratchdir, 0700)
> (fd, fn) = tempfile.mkstemp(prefix="virtinst-" + prefix,
> dir=self.scratchdir)
> block_size = 16384
> diff --git a/virtinst/util.py b/virtinst/util.py
> index f79192e..5bcfbe0 100644
> --- a/virtinst/util.py
> +++ b/virtinst/util.py
> @@ -494,7 +494,7 @@ def make_scratchdir(conn, hvtype):
> not os.access(scratch, os.W_OK)):
> scratch = os.path.join(get_cache_dir(), "boot")
> if not os.path.exists(scratch):
> - os.makedirs(scratch, 0751)
> + os.makedirs(scratch, 0700)
>
> return scratch
>
>
More information about the virt-tools-list
mailing list