Re: [patch]make libvirt run dir accessable for applications

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/04/2012 01:16 PM, Eric Blake wrote:
> On 06/04/2012 06:56 AM, Royce Lv wrote:
>> vdsm failed to connect to libvirt because of can't access
>> /var/run/libvirt,caused by libvirt create this dir with umask(077)
>> change the create umask to 022:
>> https://bugzilla.redhat.com/show_bug.cgi?id=828073
>>
>> Signed-off-by: lvroyce <lvroyce@xxxxxxxxxxxxxxxxxx>
>> ---
>>  daemon/libvirtd.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
>> index c74cd43..6095072 100644
>> --- a/daemon/libvirtd.c
>> +++ b/daemon/libvirtd.c
>> @@ -293,7 +293,7 @@ daemonUnixSocketPaths(struct daemonConfig *config,
>>              if (!(rundir = virGetUserRuntimeDirectory()))
>>                  goto error;
>>
>> -            old_umask = umask(077);
>> +            old_umask = umask(022);
> 
> Are you sure there are no other reasons to restrict group and world
> read/search access to this directory?  Opening up the permissions may be
> the right fix, but I'd feel more comfortable if we had more
> justification in the commit message describing why we are not
> introducing a security breach by adding more access.

Food for thought when answering this question.  Right now, on my F17
box, I see:

# ll /var/run/libvirt
total 0
srwxrwxrwx. 1 root root  0 Jun  4 05:24 libvirt-sock
srwxrwxrwx. 1 root root  0 Jun  4 05:24 libvirt-sock-ro
drwxr-xr-x. 2 root root 40 Jun  4 05:24 libxl
drwxr-xr-x. 2 root root 60 Jun  4 05:24 network
drwxr-xr-x. 2 root root 80 Jun  4 13:18 qemu
drwxr-xr-x. 2 root root 40 Jun  4 05:24 uml-guest

but then I see this in libvirt.spec.in:

%ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/

Why is the qemu listed as 755 on my file system, but 700 in the spec
file?  We've definitely got some explaining to do.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]