Re: [openstack-dev] Running dnsmasq in Neutron: unix rights
On 06/14/2014 07:26 PM, Thomas Goirand wrote: Hi, I've been thinking for a long time on how to fix dnsmasq unix rights issue in Neutron. Namely (from syslog): /var/lib/neutron/dhcp/{id}/host : Permission denied One way to fix it is to do: chmod o+x /var/lib/neutron Though I don't feel it's the right way to do things. Wouldn't it be nicer to add: --user=neutron in spawn_process() in neutron/agent/linux/dhcp.py? I know some Debian users did that, and it worked. I was tempted to add such patch, but I don't think it's the right thing to do without upstream approval. Yet another way would be to use adduser and add the nobody user in the neutron group, but I'm discarding that option as the least safe. I don't want to introduce a Debian specific security hole in my Neutron package, and I am therefore seeking for advices in this list. What's the safest way to fix that problem? Cheers, Thomas Goirand (zigo) P.S: The issue is also tracked at https://bugs.debian.org/751524, so please leave 751...@bugs.debian.org as Cc: when replying. After 10 days, nobody replied to this question... :( Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Running dnsmasq in Neutron: unix rights
On Mon, Jun 23, 2014 at 10:10 AM, Thomas Goirand z...@debian.org wrote: On 06/14/2014 07:26 PM, Thomas Goirand wrote: Hi, I've been thinking for a long time on how to fix dnsmasq unix rights issue in Neutron. Namely (from syslog): /var/lib/neutron/dhcp/{id}/host : Permission denied One way to fix it is to do: chmod o+x /var/lib/neutron Though I don't feel it's the right way to do things. Wouldn't it be nicer to add: --user=neutron in spawn_process() in neutron/agent/linux/dhcp.py? I know some Debian users did that, and it worked. I was tempted to add such patch, but I don't think it's the right thing to do without upstream approval. Yet another way would be to use adduser and add the nobody user in the neutron group, but I'm discarding that option as the least safe. I don't want to introduce a Debian specific security hole in my Neutron package, and I am therefore seeking for advices in this list. What's the safest way to fix that problem? Cheers, Thomas Goirand (zigo) P.S: The issue is also tracked at https://bugs.debian.org/751524, so please leave 751...@bugs.debian.org as Cc: when replying. After 10 days, nobody replied to this question... :( I was hoping to get some replies from other distribution maintainers here. Given that we haven't seen any, perhaps you could file a bug in Launchpad and submit a patch as you indicate? That would move discussion to gerrit and we may get some other folks with input there. Thanks, Kyle Thomas ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Running dnsmasq in Neutron: unix rights
Hi, I've been thinking for a long time on how to fix dnsmasq unix rights issue in Neutron. Namely (from syslog): /var/lib/neutron/dhcp/{id}/host : Permission denied One way to fix it is to do: chmod o+x /var/lib/neutron Though I don't feel it's the right way to do things. Wouldn't it be nicer to add: --user=neutron in spawn_process() in neutron/agent/linux/dhcp.py? I know some Debian users did that, and it worked. I was tempted to add such patch, but I don't think it's the right thing to do without upstream approval. Yet another way would be to use adduser and add the nobody user in the neutron group, but I'm discarding that option as the least safe. I don't want to introduce a Debian specific security hole in my Neutron package, and I am therefore seeking for advices in this list. What's the safest way to fix that problem? Cheers, Thomas Goirand (zigo) P.S: The issue is also tracked at https://bugs.debian.org/751524, so please leave 751...@bugs.debian.org as Cc: when replying. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev