From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: [Xen-changelog] Set the permissions correctly on the XML-RPC UDP socket, so that non-root users Date: Fri, 31 Mar 2006 08:36:45 -0600 Message-ID: <442D3E7D.60302@us.ibm.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com Cc: Ewan Mellor List-Id: xen-devel@lists.xenproject.org Did you see this failure after changing the socket location to /var/run/xend/xml-rpc.sock? The only way the permissions of /var/run/xend-xmlrpc.sock should be non-root is if /var/run has non root permissions. Was that the case? Regards, Anthony Liguoir Xen patchbot -unstable wrote: > # HG changeset patch > # User emellor@leeni.uk.xensource.com > # Node ID 53ded2201b7f9737faa4edffd86a870e56b2d704 > # Parent 601d0229a40e2de9a3cc3dec9e855d8b56b5a890 > Set the permissions correctly on the XML-RPC UDP socket, so that non-root users > cannot use the socket. > > This closes a security hole, and fixes the intermittent failure > of xm-test/06_list_nonroot.test. > > c.f. xen-unstable changeset 9205:faa1eb1621b9 (same bug, different socket). > > Signed-off-by: Ewan Mellor > > diff -r 601d0229a40e -r 53ded2201b7f tools/python/xen/util/xmlrpclib2.py > --- a/tools/python/xen/util/xmlrpclib2.py Thu Mar 30 23:10:54 2006 > +++ b/tools/python/xen/util/xmlrpclib2.py Thu Mar 30 23:13:33 2006 > @@ -23,7 +23,7 @@ > from httplib import HTTPConnection, HTTP > from xmlrpclib import Transport > from SimpleXMLRPCServer import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler > -import xmlrpclib, socket, os > +import xmlrpclib, socket, os, stat > import SocketServer > > import xen.xend.XendClient > @@ -105,10 +105,13 @@ > address_family = socket.AF_UNIX > > def __init__(self, addr, logRequests): > - if self.allow_reuse_address: > - try: > + parent = os.path.dirname(addr) > + if os.path.exists(parent): > + os.chown(parent, os.geteuid(), os.getegid()) > + os.chmod(parent, stat.S_IRWXU) > + if self.allow_reuse_address and os.path.exists(addr): > os.unlink(addr) > - except OSError, exc: > - pass > + else: > + os.makedirs(parent, stat.S_IRWXU) > TCPXMLRPCServer.__init__(self, addr, UnixXMLRPCRequestHandler, > logRequests) > diff -r 601d0229a40e -r 53ded2201b7f tools/python/xen/xend/XendClient.py > --- a/tools/python/xen/xend/XendClient.py Thu Mar 30 23:10:54 2006 > +++ b/tools/python/xen/xend/XendClient.py Thu Mar 30 23:13:33 2006 > @@ -19,10 +19,10 @@ > > from xen.util.xmlrpclib2 import ServerProxy > > -XML_RPC_SOCKET = "/var/run/xend-xmlrpc.sock" > +XML_RPC_SOCKET = "/var/run/xend/xmlrpc.sock" > > ERROR_INTERNAL = 1 > ERROR_GENERIC = 2 > ERROR_INVALID_DOMAIN = 3 > > -server = ServerProxy('httpu:///var/run/xend-xmlrpc.sock') > +server = ServerProxy('httpu:///var/run/xend/xmlrpc.sock') > > _______________________________________________ > Xen-changelog mailing list > Xen-changelog@lists.xensource.com > http://lists.xensource.com/xen-changelog >