[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen



On Wed, Dec 30, 2015 at 11:00:52AM +0000, Andrew Cooper wrote:
> On 30/12/2015 05:25, Wen Congyang wrote:
> >On 12/30/2015 12:11 PM, Doug Goldstein wrote:
> >>On 12/29/15 8:39 PM, Wen Congyang wrote:
> >>>We may use non-root user to run qemu, and the qemu needs to write
> >>>save file to /var/lib/xen. So we should allow all user to create
> >>>a file under the directory /var/lib/xen
> >>>
> >>>Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
> >>>---
> >>>  tools/Makefile | 2 +-
> >>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>>diff --git a/tools/Makefile b/tools/Makefile
> >>>index 820ca40..402b417 100644
> >>>--- a/tools/Makefile
> >>>+++ b/tools/Makefile
> >>>@@ -60,7 +60,7 @@ build all: subdirs-all
> >>>  install: subdirs-install
> >>>   $(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR)
> >>>   $(INSTALL_DIR) $(DESTDIR)/var/log/xen
> >>>-  $(INSTALL_DIR) $(DESTDIR)/var/lib/xen
> >>>+  $(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen
> >>>  .PHONY: uninstall
> >>>  uninstall: D=$(DESTDIR)
> >>>
> >>I could be wrong but this doesn't seem like something that you'd want to
> >>do given what's stored in there. Could you do something with permissions
> >>on sub-directories to achieve what you need?
> >>
> >The save file's path is:
> >#define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /* .$domid */
> >
> >So all user must have write permission on the directory /var/lib/xen/, 
> >otherwise,
> >the migration will fail.
> 
> For now, I would avoid running qemu as a non-root user.  It doesn't gain you
> any meaninful security at present (at the expense of a warning which can't
> be turned off).
> 
> As to this bug, marking the directory 0777 is not an option, as save records
> necessarily contain sensitive data.
> 
> Longterm, (and already identified in one of the threads in the past), the
> best course of action is to switch away from having files, and passing file
> descriptors instead.  This is more flexible (currently libxl can't function
> on a read-only root filesystem), and would allow a privileged entity to open
> the file descriptor and pass it to a non-privileged entity to use.  This
> allows the non-privileged entity to function, and maintains security.

Wen,

Could you mention the use case for wanting to write files there? Looking
at the patches you had sent for COLO and Remus they use an file descriptor - so
what is the use-case here?

Thanks!
> 
> ~Andrew
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.