[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen



On Tue, 2016-01-26 at 00:00 +0000, Andrew Cooper wrote:
> On 25/01/2016 20:36, Konrad Rzeszutek Wilk wrote:
> > On Wed, Dec 30, 2015 at 11:00:52AM +0000, Andrew Cooper wrote:
> > > On 30/12/2015 05:25, Wen Congyang wrote:
> > > > On 12/30/2015 12:11 PM, Doug Goldstein wrote:
> > > > > On 12/29/15 8:39 PM, Wen Congyang wrote:
> > > > > > We may use non-root user to run qemu, and the qemu needs to
> > > > > > write
> > > > > > save file to /var/lib/xen. So we should allow all user to
> > > > > > create
> > > > > > a file under the directory /var/lib/xen
> > > > > > 
> > > > > > Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
> > > > > > ---
> > > > > > Âtools/Makefile | 2 +-
> > > > > > Â1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > > 
> > > > > > diff --git a/tools/Makefile b/tools/Makefile
> > > > > > index 820ca40..402b417 100644
> > > > > > --- a/tools/Makefile
> > > > > > +++ b/tools/Makefile
> > > > > > @@ -60,7 +60,7 @@ build all: subdirs-all
> > > > > > Âinstall: subdirs-install
> > > > > > Â   $(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR)
> > > > > > Â   $(INSTALL_DIR) $(DESTDIR)/var/log/xen
> > > > > > -   $(INSTALL_DIR) $(DESTDIR)/var/lib/xen
> > > > > > +   $(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen
> > > > > > Â.PHONY: uninstall
> > > > > > Âuninstall: D=$(DESTDIR)
> > > > > > 
> > > > > I could be wrong but this doesn't seem like something that you'd
> > > > > want to
> > > > > do given what's stored in there. Could you do something with
> > > > > permissions
> > > > > on sub-directories to achieve what you need?
> > > > > 
> > > > The save file's path is:
> > > > #define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /*
> > > > .$domid */
> > > > 
> > > > So all user must have write permission on the directory
> > > > /var/lib/xen/, otherwise,
> > > > the migration will fail.
> > > For now, I would avoid running qemu as a non-root user.ÂÂIt doesn't
> > > gain you
> > > any meaninful security at present (at the expense of a warning which
> > > can't
> > > be turned off).
> > > 
> > > As to this bug, marking the directory 0777 is not an option, as save
> > > records
> > > necessarily contain sensitive data.
> > > 
> > > Longterm, (and already identified in one of the threads in the past),
> > > the
> > > best course of action is to switch away from having files, and
> > > passing file
> > > descriptors instead.ÂÂThis is more flexible (currently libxl can't
> > > function
> > > on a read-only root filesystem), and would allow a privileged entity
> > > to open
> > > the file descriptor and pass it to a non-privileged entity to
> > > use.ÂÂThis
> > > allows the non-privileged entity to function, and maintains security.
> > Wen,
> > 
> > Could you mention the use case for wanting to write files there?
> > Looking
> > at the patches you had sent for COLO and Remus they use an file
> > descriptor - so
> > what is the use-case here?
> 
> This is a bug in existing code.ÂÂIt is not a COLO specific issue.
> 
> The current protocol for live migration requires Qemu to write its save
> file here.
> 
> Until this issue is resolved, live migration is inoperable with Qemu
> running as a non-root user.

Stefano, is this already on your list of issues to address?

In any case creating a world writeable directory is clearly a non-starter.
We might need the toolstack to create a directory with suitable permissions
until we can rework things to work with fds only.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.