Re: [openstack-dev] Running dnsmasq in Neutron: unix rights
On 06/14/2014 07:26 PM, Thomas Goirand wrote:
Hi,
I've been thinking for a long time on how to fix dnsmasq unix rights
issue in Neutron. Namely (from syslog):
/var/lib/neutron/dhcp/{id}/host : Permission denied
One way to fix it is to do:
chmod o+x /var/lib/neutron
Though I don't feel it's the right way to do things. Wouldn't it be
nicer to add:
--user=neutron
in spawn_process() in neutron/agent/linux/dhcp.py? I know some Debian
users did that, and it worked. I was tempted to add such patch, but I
don't think it's the right thing to do without upstream approval.
Yet another way would be to use adduser and add the nobody user in the
neutron group, but I'm discarding that option as the least safe.
I don't want to introduce a Debian specific security hole in my Neutron
package, and I am therefore seeking for advices in this list. What's the
safest way to fix that problem?
Cheers,
Thomas Goirand (zigo)
P.S: The issue is also tracked at https://bugs.debian.org/751524, so
please leave 751...@bugs.debian.org as Cc: when replying.
After 10 days, nobody replied to this question... :(
Thomas
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Running dnsmasq in Neutron: unix rights
On Mon, Jun 23, 2014 at 10:10 AM, Thomas Goirand z...@debian.org wrote:
On 06/14/2014 07:26 PM, Thomas Goirand wrote:
Hi,
I've been thinking for a long time on how to fix dnsmasq unix rights
issue in Neutron. Namely (from syslog):
/var/lib/neutron/dhcp/{id}/host : Permission denied
One way to fix it is to do:
chmod o+x /var/lib/neutron
Though I don't feel it's the right way to do things. Wouldn't it be
nicer to add:
--user=neutron
in spawn_process() in neutron/agent/linux/dhcp.py? I know some Debian
users did that, and it worked. I was tempted to add such patch, but I
don't think it's the right thing to do without upstream approval.
Yet another way would be to use adduser and add the nobody user in the
neutron group, but I'm discarding that option as the least safe.
I don't want to introduce a Debian specific security hole in my Neutron
package, and I am therefore seeking for advices in this list. What's the
safest way to fix that problem?
Cheers,
Thomas Goirand (zigo)
P.S: The issue is also tracked at https://bugs.debian.org/751524, so
please leave 751...@bugs.debian.org as Cc: when replying.
After 10 days, nobody replied to this question... :(
I was hoping to get some replies from other distribution maintainers
here. Given that we haven't seen any, perhaps you could file a bug in
Launchpad and submit a patch as you indicate? That would move
discussion to gerrit and we may get some other folks with input there.
Thanks,
Kyle
Thomas
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Running dnsmasq in Neutron: unix rights
Hi,
I've been thinking for a long time on how to fix dnsmasq unix rights
issue in Neutron. Namely (from syslog):
/var/lib/neutron/dhcp/{id}/host : Permission denied
One way to fix it is to do:
chmod o+x /var/lib/neutron
Though I don't feel it's the right way to do things. Wouldn't it be
nicer to add:
--user=neutron
in spawn_process() in neutron/agent/linux/dhcp.py? I know some Debian
users did that, and it worked. I was tempted to add such patch, but I
don't think it's the right thing to do without upstream approval.
Yet another way would be to use adduser and add the nobody user in the
neutron group, but I'm discarding that option as the least safe.
I don't want to introduce a Debian specific security hole in my Neutron
package, and I am therefore seeking for advices in this list. What's the
safest way to fix that problem?
Cheers,
Thomas Goirand (zigo)
P.S: The issue is also tracked at https://bugs.debian.org/751524, so
please leave 751...@bugs.debian.org as Cc: when replying.
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
