On Fri, 2009-07-31 at 09:41 +0100, Daniel P. Berrange wrote:
> On Fri, Jul 31, 2009 at 09:28:37AM +0100, Mark McLoughlin wrote:
> > On Thu, 2009-07-30 at 15:00 +0100, Daniel P. Berrange wrote:
> > > There is a minor bug when running QEMU non-root, and having
> > > capng enabled. libvirt is unable to write the PID file in
> > > /var/run/libvirt/qemu, since its now owned by 'qemu', but
> > > libvirtd has dropped all capabilties at this point. The fix
> > > is to delay dropping capabilities until after the PID file
> > > has been created. We should also be sure to kill the child
> > > if writing the PID file fails
> >
> > I haven't looked into it much yet, but don't we need to open up the
> > permissions on /var/lib/libvirt/images now? At least from 700 to 711 so
> > qemu can open images?
>
> Hmm, that's a good point, we definitely need to do that. 711 shoudl be
> good because that lets us chmod the individual imagges to allow QEMU
> user to open them, while not allowing people to list the contents of
> the directory
Okay, committing this.
Cheers,
Mark.
From: Mark McLoughlin <markmc@xxxxxxxxxx>
Subject: [PATCH] Set perms on /var/lib/libvirt/images to 0711
Allow qemu user to open images in this dir, but still prevent others
from listing it.
* libvirt.spec.in: set /var/lib/libvirt/images perms to 0711
---
libvirt.spec.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index c295629..fdc2210 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -489,7 +489,7 @@ fi
%dir %{_localstatedir}/run/libvirt/
%dir %{_localstatedir}/lib/libvirt/
-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/images/
+%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/boot/
%dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
--
1.6.2.5
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list