[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen

On 25/01/2016 20:36, Konrad Rzeszutek Wilk wrote:
> On Wed, Dec 30, 2015 at 11:00:52AM +0000, Andrew Cooper wrote:
>> On 30/12/2015 05:25, Wen Congyang wrote:
>>> On 12/30/2015 12:11 PM, Doug Goldstein wrote:
>>>> On 12/29/15 8:39 PM, Wen Congyang wrote:
>>>>> We may use non-root user to run qemu, and the qemu needs to write
>>>>> save file to /var/lib/xen. So we should allow all user to create
>>>>> a file under the directory /var/lib/xen
>>>>> Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
>>>>> ---
>>>>>  tools/Makefile | 2 +-
>>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>>> diff --git a/tools/Makefile b/tools/Makefile
>>>>> index 820ca40..402b417 100644
>>>>> --- a/tools/Makefile
>>>>> +++ b/tools/Makefile
>>>>> @@ -60,7 +60,7 @@ build all: subdirs-all
>>>>>  install: subdirs-install
>>>>>   $(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR)
>>>>>   $(INSTALL_DIR) $(DESTDIR)/var/log/xen
>>>>> - $(INSTALL_DIR) $(DESTDIR)/var/lib/xen
>>>>> + $(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen
>>>>>  .PHONY: uninstall
>>>>>  uninstall: D=$(DESTDIR)
>>>> I could be wrong but this doesn't seem like something that you'd want to
>>>> do given what's stored in there. Could you do something with permissions
>>>> on sub-directories to achieve what you need?
>>> The save file's path is:
>>> #define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /* .$domid */
>>> So all user must have write permission on the directory /var/lib/xen/, 
>>> otherwise,
>>> the migration will fail.
>> For now, I would avoid running qemu as a non-root user.  It doesn't gain you
>> any meaninful security at present (at the expense of a warning which can't
>> be turned off).
>> As to this bug, marking the directory 0777 is not an option, as save records
>> necessarily contain sensitive data.
>> Longterm, (and already identified in one of the threads in the past), the
>> best course of action is to switch away from having files, and passing file
>> descriptors instead.  This is more flexible (currently libxl can't function
>> on a read-only root filesystem), and would allow a privileged entity to open
>> the file descriptor and pass it to a non-privileged entity to use.  This
>> allows the non-privileged entity to function, and maintains security.
> Wen,
> Could you mention the use case for wanting to write files there? Looking
> at the patches you had sent for COLO and Remus they use an file descriptor - 
> so
> what is the use-case here?

This is a bug in existing code.  It is not a COLO specific issue.

The current protocol for live migration requires Qemu to write its save
file here.

Until this issue is resolved, live migration is inoperable with Qemu
running as a non-root user.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.