On Tue, Sep 18, 2007 at 05:38:09AM +0100, Daniel P. Berrange wrote: > When I submitted the patches for PolicyKit[1] support a few weeks back Rich > suggested that we should have the ability to set UNIX socket permissions > and group ownership regardless. So this patch adds that ability. The default > setting is still, group=root, and mode=0700 for R/W socket and mode=0777 > for the R/O socket. > > It is possible to override this via the config file > > eg, Don't allow R/O monitoring > > unix_sock_ro_perms="0700" > > eg, Allow any user in 'admin' group to manage VMs > > unix_sock_group="admin" > unix_sock_rw_perms="0770" > > eg, Allow anyone todo anything > > unix_sock_rw_perms="0777" > > > NB, the fchgrp, and fchown syscalls don't have any effect on sockets, so > to set the group ownership & desired mode, I have to play games with the > setgid() and umask() calls prior to bind(), and then restore them to their > original values. > > > NB, the virConf apis don't seem to recognise Octal numbers when parsing > the config file, so I've used strings for the permissions. Not a big deal > really unless someone desperately wants to fix the config file parser... [...] > +static gid_t unix_sock_gid = 0; /* Only root by default */ > +static int unix_sock_rw_perms = 0700; /* Allow user only */ > +static int unix_sock_ro_perms = 0777; /* Allow world */ [...] > - if (readonly) > - oldmask = umask(~(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH)); > - else > - oldmask = umask(~(S_IRUSR | S_IWUSR)); > + oldgrp = getgid(); > + oldmask = umask(readonly ? ~unix_sock_ro_perms : ~unix_sock_rw_perms); > + if (getuid() == 0) > + setgid(unix_sock_gid); > + Looks fine but we went from the full macros definition to the pre digested octal value. But I'm not old enough to really care :-) +1 Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard@xxxxxxxxxx | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/ -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list