Description of problem: Libvirt get value incorrectly on sticky bit. Version-Release number of selected component (if applicable): # rpm -qa |grep libvirt libvirt-daemon-0.9.13-2.el6.x86_64 libvirt-devel-0.9.13-2.el6.x86_64 libvirt-python-0.9.13-2.el6.x86_64 libvirt-debuginfo-0.9.13-2.el6.x86_64 libvirt-0.9.13-2.el6.x86_64 libvirt-client-0.9.13-2.el6.x86_64 libvirt-docs-0.9.13-2.el6.x86_64 How reproducible: 100% Steps to Reproduce: # ll -Z /var/lib/libvirt/images/rhel6q.img -rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c675,c890 /var/lib/libvirt/images/rhel6q.img =====> The permission of image is 600. # virsh vol-dumpxml /var/lib/libvirt/images/rhel6q.img <volume> <name>rhel6q.img</name> <key>/var/lib/libvirt/images/rhel6q.img</key> <source> </source> <capacity unit='bytes'>8589934592</capacity> <allocation unit='bytes'>3345813504</allocation> <target> <path>/var/lib/libvirt/images/rhel6q.img</path> <format type='qcow2'/> <permissions> <mode>0600</mode> <owner>107</owner> <group>107</group> <label>system_u:object_r:svirt_image_t:s0:c675,c890</label> </permissions> </target> </volume> =====> This is a expected result, the mode under permissions is 0600. # chmod 677 /var/lib/libvirt/images/rhel6q.img =====> Change the permission of image to 677. # virsh vol-dumpxml /var/lib/libvirt/images/rhel6q.img <volume> <name>rhel6q.img</name> <key>/var/lib/libvirt/images/rhel6q.img</key> <source> </source> <capacity unit='bytes'>8589934592</capacity> <allocation unit='bytes'>3345813504</allocation> <target> <path>/var/lib/libvirt/images/rhel6q.img</path> <format type='qcow2'/> <permissions> <mode>0677</mode> <owner>107</owner> <group>107</group> <label>system_u:object_r:svirt_image_t:s0:c675,c890</label> </permissions> </target> </volume> =====> This is a expected result, the mode under permissions have changed to 0677. # ll -Z /var/lib/libvirt/images/rhel6q.img -rw-rwxrwx. qemu qemu system_u:object_r:svirt_image_t:s0:c675,c890 /var/lib/libvirt/images/rhel6q.img =====> The permission is 677 now. # chmod 1777 /var/lib/libvirt/images/rhel6q.img =====> Change the permission of image to 1777. # ll -Z /var/lib/libvirt/images/rhel6q.img -rwxrwxrwt. qemu qemu system_u:object_r:svirt_image_t:s0:c675,c890 /var/lib/libvirt/images/rhel6q.img =====> The permission of image have changed to 1777. # virsh vol-dumpxml /var/lib/libvirt/images/rhel6q.img <volume> <name>rhel6q.img</name> <key>/var/lib/libvirt/images/rhel6q.img</key> <source> </source> <capacity unit='bytes'>8589934592</capacity> <allocation unit='bytes'>3345813504</allocation> <target> <path>/var/lib/libvirt/images/rhel6q.img</path> <format type='qcow2'/> <permissions> <mode>0777</mode> <owner>107</owner> <group>107</group> <label>system_u:object_r:svirt_image_t:s0:c675,c890</label> </permissions> </target> </volume> =====> The permission of image have changed to 0777, not be changed to 1777. Actual results: The value of sticky bit incorrectly. Expected results: Libvirt could get value of permission correctly. Additional info:
On morden linux, the sticky bit on a file doesn't do anything. Also meaningless for FreeBSD. <quote> Currently, this behavior is only operative in HP-UX, NetBSD, and UnixWare. Solaris appears to have abandoned this in 2005.[citation needed] The 4.4-Lite release of BSD retained the old sticky bit behavior but it has been subsequently dropped from OpenBSD (as of release 3.7) and FreeBSD (as of release 2.2.1); it remains in NetBSD. No version of Linux has ever supported the traditional behavior. </quote> IMO it's not deserved to give a fix, we have the flaw to detect the sticky bit on a file, but the question is why one want to use the useless bit?
Are setuid/setgid reported correctly?
(In reply to comment #3) > Are setuid/setgid reported correctly? Hi Dave, the same reproduce on setuid and setgid too. # ll /var/lib/libvirt/images/rhel6q.img -rw-------. 1 root root 262144 Jul 13 09:40 /var/lib/libvirt/images/rhel6q.img # chmod 7777 /var/lib/libvirt/images/rhel6q.img # ll /var/lib/libvirt/images/rhel6q.img -rwsrwsrwt. 1 root root 262144 Jul 13 09:40 /var/lib/libvirt/images/rhel6q.img # virsh vol-dumpxml /var/lib/libvirt/images/rhel6q.img <volume> <name>rhel6q.img</name> <key>/var/lib/libvirt/images/rhel6q.img</key> <source> </source> <capacity unit='bytes'>8589934592</capacity> <allocation unit='bytes'>139264</allocation> <target> <path>/var/lib/libvirt/images/rhel6q.img</path> <format type='raw'/> <permissions> <mode>0777</mode> <owner>0</owner> <group>0</group> <label>system_u:object_r:virt_image_t:s0</label> </permissions> </target> </volume>
(In reply to comment #2) > On morden linux, the sticky bit on a file doesn't do anything. Also > meaningless for FreeBSD. > > <quote> > Currently, this behavior is only operative in HP-UX, NetBSD, and UnixWare. > Solaris appears to have abandoned this in 2005.[citation needed] The > 4.4-Lite release of BSD retained the old sticky bit behavior but it has been > subsequently dropped from OpenBSD (as of release 3.7) and FreeBSD (as of > release 2.2.1); it remains in NetBSD. No version of Linux has ever supported > the traditional behavior. > </quote> > > IMO it's not deserved to give a fix, we have the flaw to detect the sticky > bit > on a file, but the question is why one want to use the useless bit? # chmod 7777 rhel6q.img # ll total 136 -rwsrwsrwt. 1 root root 262144 Jul 13 09:53 rhel6q.img # cat /tmp/vol.xml <volume> <name>rhel6q.img</name> <key>/var/lib/libvirt/images/rhel6q.img</key> <source> </source> <capacity unit='bytes'>10737418240</capacity> <allocation unit='bytes'>139264</allocation> <target> <path>/var/lib/libvirt/images/rhel6q.img</path> <format type='qcow2'/> <permissions> <mode>7777</mode> <owner>0</owner> <group>0</group> <label>unconfined_u:object_r:virt_image_t:s0</label> </permissions> </target> </volume> # virsh vol-create default /tmp/vol.xml error: Failed to create vol from /tmp/vol.xml error: XML error: malformed octal mode # If modify permission to 7777 on xml file, create vol with xml file, false. Although we know that it useless, I think that libvirt could get permission correctly on suid/sgid/sticky bit better than without them
Upstream patch proposed: https://www.redhat.com/archives/libvir-list/2012-July/msg01453.html
Another upstream patch proposed: https://www.redhat.com/archives/libvir-list/2012-August/msg00687.html