Bug 1045040 - /var/lib/libvirt/qemu permissions are wrong
Summary: /var/lib/libvirt/qemu permissions are wrong
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard:
Depends On: 1045069
Blocks: 805141
TreeView+ depends on / blocked
 
Reported: 2013-12-19 13:59 UTC by Richard W.M. Jones
Modified: 2016-04-10 17:21 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-10 17:21:40 UTC


Attachments (Terms of Use)

Description Richard W.M. Jones 2013-12-19 13:59:58 UTC
Currently:

drwxr-x---.  6 qemu qemu 4096 Dec 19 12:56 .

Dan thinks we should actually create subdirectories under
here for every guest, with the guest's uid:gid as the owner
of the subdirectory, allowing qemu to run as arbitrary
uid:gid and still access its monitor socket.

Version-Release number of selected component (if applicable):

libvirt 1.1.3 on Fedora 19

Also the same on Fedora 20.

Comment 1 Richard W.M. Jones 2014-01-09 16:57:32 UTC
libvirt currently creates the monitor sockets directly in
/var/lib/libvirt/qemu/ eg:

$ sudo ls -l /var/lib/libvirt/qemu/
total 16
srwxr-xr-x. 1 qemu qemu    0 Jan  6 16:00 builder-rhel6.monitor
srwxr-xr-x. 1 qemu qemu    0 Dec 20 22:04 builder-rhel7.monitor
[etc]

The problem is this doesn't work if we told libvirt to run qemu as
another UID, which is possible (albeit undocumented):

  <seclabel model='dac' type='static'> <label>user:group</label> </seclabel>

If you do that you'll find that qemu won't be able to access the
monitor socket in some situations.

To fix this, libvirt should create a subdirectory per guest.  The
permissions on /var/lib/libvirt/qemu/ should be relaxed, and the owner
or SELinux label of /var/lib/libvirt/qemu/<guestname> should be set so
qemu can access it.

(I suspect the monitor sockets should really go in /run, but the
same arguments apply)

Comment 2 Paul Wouters 2015-10-13 19:31:06 UTC
I agree. for libreswan we run a test suite with libvirt where our own user 'build' creates the vms and every libvirt update my tests start failing and I have to run:


chmod g+w /var/lib/libvirt/qemu/

So at least group qemu write permissions would be nice.

Comment 3 Cole Robinson 2016-04-10 17:21:40 UTC
Upstream libvirt does this nowadays:

$ sudo ls /var/lib/libvirt/qemu/
channel  domain-9-f23  dump  nvram  save  snapshot

Where domain-9-f23 is used for the monitor socket for running vm name=f23 id=9


Note You need to log in before you can comment on or make changes to this bug.