On 06/04/2012 01:16 PM, Eric Blake wrote: > On 06/04/2012 06:56 AM, Royce Lv wrote: >> vdsm failed to connect to libvirt because of can't access >> /var/run/libvirt,caused by libvirt create this dir with umask(077) >> change the create umask to 022: >> https://bugzilla.redhat.com/show_bug.cgi?id=828073 >> >> Signed-off-by: lvroyce <[email protected]> >> --- >> daemon/libvirtd.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c >> index c74cd43..6095072 100644 >> --- a/daemon/libvirtd.c >> +++ b/daemon/libvirtd.c >> @@ -293,7 +293,7 @@ daemonUnixSocketPaths(struct daemonConfig *config, >> if (!(rundir = virGetUserRuntimeDirectory())) >> goto error; >> >> - old_umask = umask(077); >> + old_umask = umask(022); > > Are you sure there are no other reasons to restrict group and world > read/search access to this directory? Opening up the permissions may be > the right fix, but I'd feel more comfortable if we had more > justification in the commit message describing why we are not > introducing a security breach by adding more access.
Food for thought when answering this question. Right now, on my F17
box, I see:
# ll /var/run/libvirt
total 0
srwxrwxrwx. 1 root root 0 Jun 4 05:24 libvirt-sock
srwxrwxrwx. 1 root root 0 Jun 4 05:24 libvirt-sock-ro
drwxr-xr-x. 2 root root 40 Jun 4 05:24 libxl
drwxr-xr-x. 2 root root 60 Jun 4 05:24 network
drwxr-xr-x. 2 root root 80 Jun 4 13:18 qemu
drwxr-xr-x. 2 root root 40 Jun 4 05:24 uml-guest
but then I see this in libvirt.spec.in:
%ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
Why is the qemu listed as 755 on my file system, but 700 in the spec
file? We've definitely got some explaining to do.
--
Eric Blake [email protected] +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/libvir-list
