On 8/22/21 11:49 AM, Peng Liang wrote: > Hi all, > When we change the user for QEMU process (change "user" and "group" in > /etc/libvirt/qemu.conf) to a normal user, we found that libvirtd will > also change the ownership of /var/cache/libvirt/qemu but will keep the > ownership of /var/cache/libvirt/qemu/capabilities as root. > Is it secure to put files/directories owned by root in a directory > owned by a normal user? Could the normal user replace the root's file > with a new one? No, the capabilities directory lacks write perms: drwxr-xr-x 2 root root 234 Aug 20 17:11 /var/cache/libvirt/qemu/capabilities/ and caps files themselves are RW by root only: -rw------- 1 root root 144215 Aug 20 15:38 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml Therefore, I don't think a regular user could spoof capabilities. > Does it need to set sticky bit on > /var/cache/libvirt/qemu or keep the ownership of /var/cache/libvirt/qemu > as root? > No, setting sticky bit would make caps files owned by root:group and I don't think we want that (even though, not even group can write caps files). I hope this answers your concern. Michal
