[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen

To: Wen Congyang <wency@xxxxxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, xen devel <xen-devel@xxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Wed, 30 Dec 2015 11:00:52 +0000
Cc: Shriram Rajagopalan <rshriram@xxxxxxxxx>, Changlong Xie <xiecl.fnst@xxxxxxxxxxxxxx>, Yang Hongyang <hongyang.yang@xxxxxxxxxxxx>
Delivery-date: Wed, 30 Dec 2015 11:01:15 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 30/12/2015 05:25, Wen Congyang wrote:

On 12/30/2015 12:11 PM, Doug Goldstein wrote:

On 12/29/15 8:39 PM, Wen Congyang wrote:

We may use non-root user to run qemu, and the qemu needs to write
save file to /var/lib/xen. So we should allow all user to create
a file under the directory /var/lib/xen

Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
---
  tools/Makefile | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/Makefile b/tools/Makefile
index 820ca40..402b417 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -60,7 +60,7 @@ build all: subdirs-all
  install: subdirs-install
        $(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR)
        $(INSTALL_DIR) $(DESTDIR)/var/log/xen
-       $(INSTALL_DIR) $(DESTDIR)/var/lib/xen
+       $(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen

.PHONY: uninstall

  uninstall: D=$(DESTDIR)

I could be wrong but this doesn't seem like something that you'd want to
do given what's stored in there. Could you do something with permissions
on sub-directories to achieve what you need?

The save file's path is:
#define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /* .$domid */

So all user must have write permission on the directory /var/lib/xen/, 
otherwise,
the migration will fail.

For now, I would avoid running qemu as a non-root user. It doesn't gainyou any meaninful security at present (at the expense of a warning whichcan't be turned off).

As to this bug, marking the directory 0777 is not an option, as saverecords necessarily contain sensitive data.

Longterm, (and already identified in one of the threads in the past),the best course of action is to switch away from having files, andpassing file descriptors instead. This is more flexible (currentlylibxl can't function on a read-only root filesystem), and would allow aprivileged entity to open the file descriptor and pass it to anon-privileged entity to use. This allows the non-privileged entity tofunction, and maintains security.


~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH 0/5] migration/remus: bug fix and cleanup
  - From: Wen Congyang
- [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen
  - From: Wen Congyang
- Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen
  - From: Doug Goldstein
- Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen
  - From: Wen Congyang

Prev by Date: Re: [Xen-devel] [PATCH 2/5] remus: don't write xenstore data if it fails
Next by Date: Re: [Xen-devel] [PATCH 3/5] tools/libxc: don't send end record if remus fails
Previous by thread: Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen
Next by thread: [Xen-devel] [PATCH 1/5] remus: don't call stream_continue() when doing failover
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.