On 01/05/2011 03:03 PM, Laine Stump wrote: > When dynamic_ownership=0, saved images must be owned by the same uid > as is used to run the qemu process, otherwise restore won't work. To > accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to > simply return when it's called. > > This fix is in response to: > > https://bugzilla.redhat.com/show_bug.cgi?id=661720 ACK. > --- > > Note that this still leaves open the issue discovered in this bug - if > the saved image file already exists when it is "created" for the new > save, whatever mode it has will be maintained, rather than forcing > 0600. It would be simple to force the mode to 0600 (just add a flag to > virFileOperation(), but I'm not sure if it would be safe to do so > right now without a *lot* of testing (I'm concerned about possible > scenarios where the chmod() that's done when the FORCE_PERMISSIONS > flag is set might fail, making a previously working case fail). Any > opinions on that? (At any rate, it should be done in a separate patch > if we decide to do it). For that matter, we could argue that the bug is in whatever code created the file with the overly-permissive permissions in the first place, and that libvirt should not change (what gives libvirt the right to decide to lock down permissions on an already existing file?). So _if_ we decide that libvirt needs to do anything at all, then it's definitely material for a separate patch. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list