On 06/04/2012 01:16 PM, Eric Blake wrote: > On 06/04/2012 06:56 AM, Royce Lv wrote: >> vdsm failed to connect to libvirt because of can't access >> /var/run/libvirt,caused by libvirt create this dir with umask(077) >> change the create umask to 022: >> https://bugzilla.redhat.com/show_bug.cgi?id=828073 >> >> Signed-off-by: lvroyce <lvroyce@xxxxxxxxxxxxxxxxxx> >> --- >> daemon/libvirtd.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c >> index c74cd43..6095072 100644 >> --- a/daemon/libvirtd.c >> +++ b/daemon/libvirtd.c >> @@ -293,7 +293,7 @@ daemonUnixSocketPaths(struct daemonConfig *config, >> if (!(rundir = virGetUserRuntimeDirectory())) >> goto error; >> >> - old_umask = umask(077); >> + old_umask = umask(022); > > Are you sure there are no other reasons to restrict group and world > read/search access to this directory? Opening up the permissions may be > the right fix, but I'd feel more comfortable if we had more > justification in the commit message describing why we are not > introducing a security breach by adding more access. Food for thought when answering this question. Right now, on my F17 box, I see: # ll /var/run/libvirt total 0 srwxrwxrwx. 1 root root 0 Jun 4 05:24 libvirt-sock srwxrwxrwx. 1 root root 0 Jun 4 05:24 libvirt-sock-ro drwxr-xr-x. 2 root root 40 Jun 4 05:24 libxl drwxr-xr-x. 2 root root 60 Jun 4 05:24 network drwxr-xr-x. 2 root root 80 Jun 4 13:18 qemu drwxr-xr-x. 2 root root 40 Jun 4 05:24 uml-guest but then I see this in libvirt.spec.in: %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ Why is the qemu listed as 755 on my file system, but 700 in the spec file? We've definitely got some explaining to do. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list