virFileOpenAs takes desired uid:gid as arguments, and not only uses
them for a fork/setuid/setgid when retrying failed open operations,
but additionally always forces the opened file to be owned by the
given uid:gid.
One example of the problems this causes is that, when restoring a
domain from a file that is owned by the qemu user, opening the file
chowns it to root. if dynamic_ownership=1 this is coincidentally
expected, but if dynamic_ownership=0, no existing file should ever
have its ownership changed.
This patch adds an extra check before calling fchown() - it only does
it if O_CREAT was passed to virFileOpenAs() in the openflags.
---
src/util/util.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/src/util/util.c b/src/util/util.c
index b278165..9556bdb 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -697,6 +697,7 @@ virFileOpenAsNoFork(const char *path, int openflags, mode_t mode,
goto error;
}
if (((st.st_uid != uid) || (st.st_gid != gid))
+ && (openflags & O_CREAT)
&& (fchown(fd, uid, gid) < 0)) {
ret = -errno;
virReportSystemError(errno, _("cannot chown '%s' to (%u, %u)"),
--
1.7.3.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list