| Summary: | virsh creates images and directories with the wrong ownership and permissions | ||
|---|---|---|---|
| Product: | [Community] Virtualization Tools | Reporter: | Lex van Roon <r3boot> |
| Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | crobinso, janne.savikko, tharbaug, xen-maint |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-23 13:01:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Lex van Roon
2011-06-21 14:43:02 UTC
Description of problem:
See above.
Version-Release number of selected component (if applicable):
libvirt: 0.9.2-4ubuntu15
OS: Ubuntu/Oneiric
Additional info:
It seems that libvirt (or virsh/virt-manager) doesn't care about storage pool template's permissions even though I have them defined. virsh sets permissions to 0600 root:root, virt-manager to 0600 102:105.
$ virsh pool-list --details
Name State Autostart Persistent Capacity Allocation Available
-------------------------------------------------------------------------
default running yes yes 220.01 GB 29.70 GB 190.31 GB
$ virsh pool-dumpxml default
<pool type='dir'>
<name>default</name>
<uuid>8235850b-ffaf-0dc3-11b1-3be5b36e7b97</uuid>
<capacity>236228661240</capacity>
<allocation>31886737400</allocation>
<available>204341923832</available>
<source>
</source>
<target>
<path>/var/lib/libvirt/images</path>
<permissions>
<mode>0640</mode>
<owner>102</owner>
<group>105</group>
</permissions>
</target>
</pool>
It appears that this is due to
security/security_dac.c:virSecurityDACRestoreSecurityFileLabelInternal()
which indiscriminately sets the owner:group to 0:0 regardless of what it is
supposed to be:
static int
virSecurityDACRestoreSecurityFileLabelInternal(virSecurityDACDataPtr priv,
virStorageSourcePtr src,
const char *path)
{
VIR_INFO("Restoring DAC user and group on '%s'",
NULLSTR(src ? src->path : path));
/* XXX record previous ownership */
return virSecurityDACSetOwnershipInternal(priv, src, path, 0, 0);
}
Notice the nice comment: XXX record previous ownership. Someone knew that
it would be a problem and glossed over it.
Something like this might help:
static int
virSecurityDACRestoreSecurityFileLabelInternal(virSecurityDACDataPtr priv,
virStorageSourcePtr src,
const char *path)
{
uid_t uid = 0;
gid_t gid = 0;
VIR_INFO("priv(%p)", priv);
if (priv) {
uid = priv->user;
gid = priv->group;
}
VIR_INFO("Restoring DAC user and group on '%s'",
NULLSTR(src ? src->path : path));
/* XXX record previous ownership */
return virSecurityDACSetOwnershipInternal(priv, src, path, uid, gid);
}
But my concern is that it still doesn't remember what it should be - it
just sets it to a value. If I understood more about *why* the ownership
needed to be changed back-and-forth I'd make a real patch.
My guess is that 1004673 is related to this: https://bugzilla.redhat.com/show_bug.cgi?id=1004673 A temporary solution is to disable ownership shuffling in /etc/libvirt/libvirtd.conf: dynamic_ownership = 0 There's a few things in here. The original report about default storage pool permissions is no longer valid, upstream uses 0755 now. The latter comments about libvirt not resetting file ownership to the original owner is a separate issue and is tracked in https://bugzilla.redhat.com/show_bug.cgi?id=636156 Closing as CURRENTRELEASE since the original reported issue is fixed |