On Mon, May 15, 2017 at 09:27:38AM +0100, Daniel P. Berrange wrote:
On Thu, May 11, 2017 at 06:36:22PM -0400, John Ferlan wrote:On 05/11/2017 04:31 AM, Christian Ehrhardt wrote: > From: Serge Hallyn <serge.hallyn@xxxxxxxxxx> > > There should be no need to make dir based pools world readable. > So use 0711, not 0755, as the default perms for storage dirs. > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- > docs/formatstorage.html.in | 2 +- > src/storage/storage_util.h | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > Kinda surprised this didn't generate some immediate discussion... I would also think that if you had a desire to change defaults you'd also have a libvirt.spec.in adjustment...Actually no it doesn't - the spec file is already marking /var/lib/libvirt/images as 0711.Still 0755 or umask(022) seem to be fairly prevalent setting and having the <mode> for the XML to be able to override a default certainly gives credence to arguments in either direction whether or not to change the defaults. It's been a long while since I considered system/directory/file security things, but I have this faint recollection of some strange issue when not having world or group "executable" as a default.The fact that RPM spec ships with 0711 show that it works ok. So I think this change is reasonable.
Same here. I'm not sure, but I think even SELinux policy defaulted to that. Anyway, ACK to this one, I'll push this in a while. While we're on this, is there some global config for the group in all these permissions? I would love to add a user to one group and make all libvirt-related readable for that user with that one simple addition.
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
