On 01/07/2011 05:30 AM, Jiri Denemark wrote: >>> Setting unix_sock_group to something else than default "root" in >>> /etc/libvirt/libvirtd.conf prevents system libvirtd from dumping core on >>> crash. This is because we used setgid(unix_sock_group) before binding to >>> /var/run/libvirt/libvirt-sock* and setgid() back to original group. >>> However, if a process changes its effective or filesystem group ID, it >>> will be forbidden from leaving core dumps unless fs.suid_dumpable sysctl >>> is set to something else then 0 (and it is 0 by default). >>> >>> Changing socket's group ownership after bind works better. And we can do >>> so without introducing a race condition since we loosen access rights by >>> changing the group from root to something else. >> >> If you use fchown(sock->fd) then you avoid any possible race issues. > > Except that it doesn't work. That was the first thing I tried but fchown() > doesn't seem to work on unix sockets. The socket will still ended up with > root:root ownership regardless on where I put fchown() -- either before bind() > to avoid race issues or after it, which wouldn't be any better than chown(). POSIX states that fchown() on pipes and sockets is allowed (but not required) to fail with EINVAL. I think it's a POSIX-compliance bug in the Linux kernel that it silently succeeds but ignores the change request, but to be truly portable, we have to use chown() rather than fchown() to avoid falling foul of the undefined behavior in the first place (whether or not we can convince kernel folks to either make fchown() fail with EINVAL or succeed at doing what we want). So, I don't see any other alternatives, and your patch looks like the way to go. ACK as-is. -- Eric Blake eblake@xxxxxxxxxx +1-801-349-2682 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list