649523 – bogus permissions on /var/lib/libvirt in libvirt spec file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 649523 - bogus permissions on /var/lib/libvirt in libvirt spec file

Summary: bogus permissions on /var/lib/libvirt in libvirt spec file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Blake
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	627124 634862 (view as bug list)
Depends On:
Blocks:	662045
TreeView+	depends on / blocked

Reported:	2010-11-03 21:39 UTC by Eric Blake
Modified:	2018-11-14 15:34 UTC (History)
CC List:	19 users (show)
Fixed In Version:	libvirt-0.8.6-1.el6
Doc Type:	Bug Fix
Doc Text:	A specification file bug caused permissions on the /var/lib/libvirt directory to change when a system was upgraded. With this update, correct permissions are assigned to the aforementioned directory.
Clone Of:	649511
Clones:	684798 (view as bug list)
Environment:
Last Closed:	2011-05-19 13:23:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0596	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2011-05-18 17:56:36 UTC

Description Eric Blake 2010-11-03 21:39:39 UTC

+++ This bug was initially created as a clone of Bug #649511 +++

Description of problem:
After using preupgrade to convert from F13 to F14, I could no longer start any VMs.  I tracked the problem to bad permissions on /var/lib/libvirt.

Version-Release number of selected component (if applicable):
libvirt-0.8.3-2.fc14.x86_64


How reproducible:
Haven't tried reproducing, but if you need me to, I could set up an F13 VM and re-run preupgrade to see if it repeats.


Steps to Reproduce:
1. preupgrade from f13 -> f14
2. virsh start vm-name
3. ls -ld /var/lib/libvirt
4. chmod 755 /var/lib/libvirt
5. virsh start vm-name 
  
Actual results:
1. upgrade appears to work fine
2. # virsh start fedora_12
error: Failed to start domain fedora_12
error: internal error Process exited while reading console log output: bind(unix:/var/lib/libvirt/qemu/fedora_12.monitor): Permission denied
chardev: opening backend "socket" failed
3. # ll -d /var/lib/libvirt/{,qemu}
drwx------. 9 root root 4096 Aug 23 15:32 /var/lib/libvirt/
drwx------. 4 qemu qemu 4096 Aug 23 15:32 /var/lib/libvirt/qemu
4. success
5. can start vm again


Expected results:
upgrading should not corrupt directory permissions

Additional info:
/var/lib/libvirt should be 0755, not 0700.  It might be a bug in the libvirt-0.8.3-2.fc14.x86_64 spec file that sets inappropriate permissions, and the preupgrade process favored the spec file permissions rather than the permissions that were previously in place in F13.

--- Additional comment from eblake on 2010-11-03 15:09:32 MDT ---

Hmm - I see this in upstream libvirt.spec.in, as well as in the libvirt.spec included in libvirt-0.8.3-2.fc14.srpm:

%dir %{_localstatedir}/lib/libvirt/

%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt

So it's definitely a spec-file bug, and traces back to commit 66823690e (v0.8.2~203).

--- Additional comment from eblake on 2010-11-03 15:26:51 MDT ---

Upstream patch posted:
https://www.redhat.com/archives/libvir-list/2010-November/msg00238.html

---
Although this specfile bug was not present in libvirt-0.8.1, it was back-ported into the spec file used to build libvirt-0.8.1-7.el6, and has remained there through libvirt-0.8.1-27.el6.

Comment 1 Eric Blake 2010-11-03 21:41:53 UTC

The upstream patch only touches libvirt.spec.in, and so it will automatically be picked up for RHEL 6.1 when we rebase to upstream 0.8.6 or newer.  But for the RHEL z-stream, it seems like this is an easy spec file fix to backport directly to libvirt.spec as soon as there is any other z-stream activity that warrants a release.

Comment 2 Eric Blake 2010-11-03 21:47:14 UTC

If we fail to fix the specfile, then it is possible for a z-stream update for any other reason to result in rpm downgrading the permissions of /var/lib/libvirt from 0755 to 0700 during the upgrade process.  Reduced permissions on this directory will then render it impossible for anyone running a VM as the qemu user to obtain access to any /var/lib/libvirt/*.monitor sockets.

Comment 3 Eric Blake 2010-11-08 15:03:04 UTC

I've reduced things to a minimal testcase that proves the problem can affect z-stream upgrades if the spec file is not patched:

# rpm -q libvirt{,-client}
libvirt-0.8.1-27.el6.x86_64
libvirt-client-0.8.1-27.el6.x86_64
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/
# yum reinstall libvirt-client -y
...
# ls -ld /var/lib/libvirt/
drwx------. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/
# yum reinstall libvirt -y
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 7 root root 4096 Aug 18 06:07 /var/lib/libvirt/

Therefore, it is the libvirt-client package that has the broken permissions, and if libvirt-client is upgraded independently (or after) libvirt, then the problem is present.  In general, libvirt and libvirt-client bump versions simulatneously, and yum dependencies favor installing libvirt last, which is why we haven't run into the problem very many times in practice.

Comment 4 Dave Allan 2010-11-09 02:34:53 UTC

*** Bug 634862 has been marked as a duplicate of this bug. ***

Comment 6 Daniel Berrangé 2010-11-12 16:36:50 UTC

*** Bug 627124 has been marked as a duplicate of this bug. ***

Comment 7 Jiri Denemark 2010-12-10 12:07:12 UTC

Fixed upstream by v0.8.5-60-gf970d80:

commit f970d802ab805f1a37af384f148f34e108714034
Author: Eric Blake <eblake>
Date:   Wed Nov 3 15:20:24 2010 -0600

    rpm: fix /var/lib/libvirt permissions

Comment 9 wangyimiao 2010-12-24 08:19:02 UTC

verified it PASSED on build :
libvirt-0.8.6-1.el6.x86_64
libvirt-client-0.8.6-1.el6.x86_64
qemu-kvm-0.12.1.2-2.128.el6.x86_64
qemu-img-0.12.1.2-2.128.el6.x86_64
kernel-2.6.32-93.el6.x86_64
Steps:
1.
# rpm -q libvirt{,-client}
libvirt-0.8.6-1.el6.x86_64
libvirt-client-0.8.6-1.el6.x86_64

2.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 24 09:14 /var/lib/libvirt/

3.Reinstall "libvirt-client" package
# rpm -ivh --replacepkgs libvirt-client-0.8.6-1.el6.x86_64.rpm 

4.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 23 15:36 /var/lib/libvirt/


5.Reinstall "libvirt-client" package again
# rpm -ivh --replacepkgs libvirt-client-0.8.6-1.el6.x86_64.rpm 

6.Check "/var/lib/libvirt" permission again.
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Dec 23 15:36 /var/lib/libvirt/

Comment 11 Vivian Bian 2011-02-15 09:17:48 UTC

retested with 

libvirt-0.8.7-6.el6.x86_64
libvirt-client-0.8.7-6.el6.x86_64

Steps:
1.# rpm -q libvirt{,-client}
libvirt-0.8.7-6.el6.x86_64
libvirt-client-0.8.7-6.el6.x86_64


2.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/



3.Reinstall "libvirt-client" package
# rpm -ivh --replacepkgs libvirt-new/libvirt-client-0.8.7-6.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libvirt-client         ########################################### [100%]


4.Check "/var/lib/libvirt" permission
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/


5.Reinstall "libvirt-client" package again
# rpm -ivh --replacepkgs libvirt-new/libvirt-client-0.8.7-6.el6.x86_64.rpm 
Preparing...                ########################################### [100%]
   1:libvirt-client         ########################################### [100%]

6.Check "/var/lib/libvirt" permission again.
# ls -ld /var/lib/libvirt/
drwxr-xr-x. 9 root root 4096 Feb 12 00:35 /var/lib/libvirt/

the permissions on /var/lib/libvirt is correct. So set bug status to VERIFIED

Comment 12 Martin Prpič 2011-04-15 14:22:18 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A specification file bug caused permissions on the /var/lib/libvirt directory to change when upgrading a system. With this update, correct permissions are assigned to the aforementioned directory.

Comment 15 Laura Bailey 2011-05-04 05:12:46 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-A specification file bug caused permissions on the /var/lib/libvirt directory to change when upgrading a system. With this update, correct permissions are assigned to the aforementioned directory.+A specification file bug caused permissions on the /var/lib/libvirt directory to change when a system was upgraded. With this update, correct permissions are assigned to the aforementioned directory.

Comment 16 errata-xmlrpc 2011-05-19 13:23:35 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0596.html

Note You need to log in before you can comment on or make changes to this bug.