This really feels like a serious security bug. The whole point of
running qemu as non root is to prevent it from accessing files that you
haven't given it permission to. By blindly chowning files to the qemu
user, you allow for the user who is given permission to run virtual
machines to start
See https://www.redhat.com/archives/libvir-
list/2011-October/msg00104.html and https://www.redhat.com/archives
/libvir-list/2011-October/msg00110.html for the upstream response. The
first message describes the proper fix (switching from chown to acls in
the dac security code). The second
yes, I can set a readonly mount. Will have it set in a few. Thank you,
Serge.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in Ubuntu.
https://bugs.launchpad.net/bugs/691590
Title:
libvirt should not take ownership of ISO
Re-verified the bug and the patch, and sent the patch to the upstream
mailing list:
https://www.redhat.com/archives/libvir-list/2011-September/msg00458.html
If upstream rejects this, then I will mark the bug wontfix.
--
You received this bug notification because you are a member of Ubuntu
It seems the ISOs are hosed right now, I get a sudden reboot in the
basic package install. But -- as far as this bug is concerned -- the
ISOs ownership are maintained on the original owner.
Perfect, Serge.
--
You received this bug notification because you are a member of Ubuntu
Server Team,
** Attachment added: Proposed patch to not chown isos
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/691590/+attachment/1774914/+files/debdiff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
A package with the proposed fix is available for natty in ppa:serge-
hallyn/virt. If this does what you need, then we can proceed to talk to
the libvirt community.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
Thank you, Serge. Testing it now.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/691590
Title:
libvirt should not take ownership of ISO images
--
Ubuntu-server-bugs mailing list
So does that suffice for your needs?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/691590
Title:
libvirt should not take ownership of ISO images
--
Ubuntu-server-bugs mailing
Actually, no... theonly change is the owner got to be root, from
libvirt. I still am not convinced a read-only ISO has to be chown-ed to
the libvirt account.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
I intend to write a patch to make this behavior an option, and send it
to the libvirt list for comment.
** Changed in: libvirt (Ubuntu)
Status: New = Triaged
** Changed in: libvirt (Ubuntu)
Importance: Undecided = Low
--
You received this bug notification because you are a member of
** Bug watch added: Red Hat Bugzilla #568935
https://bugzilla.redhat.com/show_bug.cgi?id=568935
** Also affects: libvirt via
https://bugzilla.redhat.com/show_bug.cgi?id=568935
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of
A correction on the above I just tried with qemu.conf setting
user/group to root -- the ISO gets chown-ed to root:root, 0600.:
Actually, the permissions are kept as they were.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in
This whole bug is about libvirt's DAC security driver. It will chown
files to the user that kvm runs as. On Ubuntu, this is the libvirt-
qemu:kvm user (adjustable via /etc/libvirt/qemu.conf). If you look at
the ISO file, its ownership should have been changed to this user. The
DAC security driver
** Tags added: iso-testing
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/691590
Title:
libvirt should not take ownership of ISO images
--
Ubuntu-server-bugs mailing list
I don't think it would be safe at any rate to have the ISO images be
written to while kvm is reading them. Would it be ok to work around
this another way?
Perhaps the right way to update the ISOs is:
cp orig.iso new.iso
rsync -Pv mirror://updated_iso.iso new.iso
rm
Yes, this would work (as long as the process doing this move owns the
directory -- otherwise it is still an error 13). The whole point,
though, is that libvirt does not need to take ownership of a *read-only*
file.
At least it could revert the ownership when the VM is closed, if you
want to
Serge, from what I understand of rsync, it never writes directly to the
destination file, it will create a temporary hidden file and write to
that, then unlink/rename when the transfer is complete.
So the steps can just be
rsync rsync://mirror/file.iso orig.iso
it won't interfere at all with
18 matches
Mail list logo
