On 8/23/2021 3:57 PM, Michal Prívozník wrote: > On 8/22/21 11:49 AM, Peng Liang wrote: >> Hi all, >> When we change the user for QEMU process (change "user" and "group" in >> /etc/libvirt/qemu.conf) to a normal user, we found that libvirtd will >> also change the ownership of /var/cache/libvirt/qemu but will keep the >> ownership of /var/cache/libvirt/qemu/capabilities as root. >> Is it secure to put files/directories owned by root in a directory >> owned by a normal user? Could the normal user replace the root's file >> with a new one? > > No, the capabilities directory lacks write perms: > > drwxr-xr-x 2 root root 234 Aug 20 17:11 > /var/cache/libvirt/qemu/capabilities/ > > and caps files themselves are RW by root only: > > -rw------- 1 root root 144215 Aug 20 15:38 > 926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml > > Therefore, I don't think a regular user could spoof capabilities. But the regular user can rename capabilities and create a new one. For example, # runuser -u qemu -- mv /var/cache/libvirt/qemu/capabilities /var/cache/libvirt/qemu/capabilities-bak # runuser -u qemu -- mkdir /var/cache/libvirt/qemu/capabilities runuser -u qemu -- touch /var/cache/libvirt/qemu/capabilities/<hash>.xml And I found that the operations can be done even though the sticky bit is set on /var/cache/libvirt/qemu :( > >> Does it need to set sticky bit on >> /var/cache/libvirt/qemu or keep the ownership of /var/cache/libvirt/qemu >> as root? >> > > No, setting sticky bit would make caps files owned by root:group and I > don't think we want that (even though, not even group can write caps files). > > I hope this answers your concern. I found that libvirt will put some temporary files (e.g. screenshot files) which are used by qemu in /var/cache/libvirt/qemu. How about move those files to domain dirs in /var/run/libvirt/qemu and keep the ownership of /var/cache/libvirt/qemu as root? Thanks, Peng > > Michal > > . >