Xen project Mailing List

[Xen-devel] Re: [Xen-changelog] Set the permissions correctly on the XML-RPC UDP socket, so that non-root users

To: xen-devel@xxxxxxxxxxxxxxxxxxx

From: Anthony Liguori <aliguori@xxxxxxxxxx>

Date: Fri, 31 Mar 2006 08:36:45 -0600

Cc: Ewan Mellor <ewan@xxxxxxxxxxxxx>

Delivery-date: Fri, 31 Mar 2006 14:38:36 +0000

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Did you see this failure after changing the socket location to

/var/run/xend/xml-rpc.sock? The only way the permissions of

/var/run/xend-xmlrpc.sock should be non-root is if /var/run has non root

permissions. Was that the case?

Regards, Anthony Liguoir Xen patchbot -unstable wrote:

# HG changeset patch
# User emellor@xxxxxxxxxxxxxxxxxxxxxx
# Node ID 53ded2201b7f9737faa4edffd86a870e56b2d704
# Parent  601d0229a40e2de9a3cc3dec9e855d8b56b5a890
Set the permissions correctly on the XML-RPC UDP socket, so that non-root users
cannot use the socket.

This closes a security hole, and fixes the intermittent failure
of xm-test/06_list_nonroot.test.

c.f. xen-unstable changeset 9205:faa1eb1621b9 (same bug, different socket).

Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx>

diff -r 601d0229a40e -r 53ded2201b7f tools/python/xen/util/xmlrpclib2.py
--- a/tools/python/xen/util/xmlrpclib2.py       Thu Mar 30 23:10:54 2006
+++ b/tools/python/xen/util/xmlrpclib2.py       Thu Mar 30 23:13:33 2006
@@ -23,7 +23,7 @@
 from httplib import HTTPConnection, HTTP
 from xmlrpclib import Transport
 from SimpleXMLRPCServer import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler
-import xmlrpclib, socket, os
+import xmlrpclib, socket, os, stat
 import SocketServer

import xen.xend.XendClient

@@ -105,10 +105,13 @@
     address_family = socket.AF_UNIX

def __init__(self, addr, logRequests):

-        if self.allow_reuse_address:
-            try:
+        parent = os.path.dirname(addr)
+        if os.path.exists(parent):
+            os.chown(parent, os.geteuid(), os.getegid())
+            os.chmod(parent, stat.S_IRWXU)
+            if self.allow_reuse_address and os.path.exists(addr):
                 os.unlink(addr)
-            except OSError, exc:
-                pass
+        else:
+            os.makedirs(parent, stat.S_IRWXU)
         TCPXMLRPCServer.__init__(self, addr, UnixXMLRPCRequestHandler,
                                  logRequests)
diff -r 601d0229a40e -r 53ded2201b7f tools/python/xen/xend/XendClient.py
--- a/tools/python/xen/xend/XendClient.py       Thu Mar 30 23:10:54 2006
+++ b/tools/python/xen/xend/XendClient.py       Thu Mar 30 23:13:33 2006
@@ -19,10 +19,10 @@

from xen.util.xmlrpclib2 import ServerProxy-XML_RPC_SOCKET = "/var/run/xend-xmlrpc.sock"

+XML_RPC_SOCKET = "/var/run/xend/xmlrpc.sock"

ERROR_INTERNAL = 1

 ERROR_GENERIC = 2
 ERROR_INVALID_DOMAIN = 3

-server = ServerProxy('httpu:///var/run/xend-xmlrpc.sock')

+server = ServerProxy('httpu:///var/run/xend/xmlrpc.sock')

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.