On Tue, Jul 09, 2013 at 10:12:59PM -0400, Chris Lalancette wrote: > Hello, > The Oz automated install program (http://github.com/clalancette/oz) > uses a serial device inside a guest to communicate the guest IP address to > a listener on the host; once the host has the IP address, other > customization steps can take place. > This serial device in the guest is currently backed by a TCP socket on > the host. I use the following libvirt XML snippet to set this up: > > <serial type="tcp"> > <source mode="bind" host="127.0.0.1" service="9412"/> > <protocol type="raw"/> > <target port="1"/> > </serial> > > DanB points out that this is probably insecure, and we should use named > pipes or Unix domain sockets instead. I was able to implement Unix domain > sockets with a few minor changes to Oz, but I'm running into a permissions > problem. > Essentially, the problem is that when you run Oz as a regular, non-root > user, there is no convenient place on the filesystem where both the qemu > user can read and write the socket, and where the user that is running Oz > can read the socket. I've tried using /var/lib/libvirt/qemu/*.port, but > that directory is 0650, so the regular user has no permission to it. > Similarly, the qemu user may not have permission to read the users home > directory, so I can't really put it there either. > Does anyone have any ideas of what I might do here? I'm open to > changing to any of Unix domain sockets, pipes, UDP sockets, or whatever, > but it has to work for both root and non-root users. The fact that a non-root user can't connect to any of those resources is in fact a security feature. Otherwise it'd be just as bad as using the localhost TCP socket. If Oz is running non-root, why isn't it using qemu:///session so that the VMs run as non-root too, then you don't have this privilege separation problem to hack around ? If you really must run it as root, then instead of opening the device directly, you could use the new virDomainOpenChannel() API to open a virStreamPtr connected to the serial device for doing I/O through. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list