From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Changlong Xie <xiecl.fnst@cn.fujitsu.com>,
Wei Liu <Wei.Liu2@citrix.com>,
"Ian.Campbell@citrix.com" <Ian.Campbell@citrix.com>,
Wen Congyang <wency@cn.fujitsu.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
Doug Goldstein <cardoe@cardoe.com>,
xen devel <xen-devel@lists.xen.org>,
Shriram Rajagopalan <rshriram@cs.ubc.ca>,
Yang Hongyang <hongyang.yang@easystack.cn>
Subject: Re: [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen
Date: Tue, 26 Jan 2016 00:00:17 +0000 [thread overview]
Message-ID: <56A6B711.5010403@citrix.com> (raw)
In-Reply-To: <20160125203639.GA14977@char.us.oracle.com>
On 25/01/2016 20:36, Konrad Rzeszutek Wilk wrote:
> On Wed, Dec 30, 2015 at 11:00:52AM +0000, Andrew Cooper wrote:
>> On 30/12/2015 05:25, Wen Congyang wrote:
>>> On 12/30/2015 12:11 PM, Doug Goldstein wrote:
>>>> On 12/29/15 8:39 PM, Wen Congyang wrote:
>>>>> We may use non-root user to run qemu, and the qemu needs to write
>>>>> save file to /var/lib/xen. So we should allow all user to create
>>>>> a file under the directory /var/lib/xen
>>>>>
>>>>> Signed-off-by: Wen Congyang <wency@cn.fujitsu.com>
>>>>> ---
>>>>> tools/Makefile | 2 +-
>>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/tools/Makefile b/tools/Makefile
>>>>> index 820ca40..402b417 100644
>>>>> --- a/tools/Makefile
>>>>> +++ b/tools/Makefile
>>>>> @@ -60,7 +60,7 @@ build all: subdirs-all
>>>>> install: subdirs-install
>>>>> $(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR)
>>>>> $(INSTALL_DIR) $(DESTDIR)/var/log/xen
>>>>> - $(INSTALL_DIR) $(DESTDIR)/var/lib/xen
>>>>> + $(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen
>>>>> .PHONY: uninstall
>>>>> uninstall: D=$(DESTDIR)
>>>>>
>>>> I could be wrong but this doesn't seem like something that you'd want to
>>>> do given what's stored in there. Could you do something with permissions
>>>> on sub-directories to achieve what you need?
>>>>
>>> The save file's path is:
>>> #define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /* .$domid */
>>>
>>> So all user must have write permission on the directory /var/lib/xen/, otherwise,
>>> the migration will fail.
>> For now, I would avoid running qemu as a non-root user. It doesn't gain you
>> any meaninful security at present (at the expense of a warning which can't
>> be turned off).
>>
>> As to this bug, marking the directory 0777 is not an option, as save records
>> necessarily contain sensitive data.
>>
>> Longterm, (and already identified in one of the threads in the past), the
>> best course of action is to switch away from having files, and passing file
>> descriptors instead. This is more flexible (currently libxl can't function
>> on a read-only root filesystem), and would allow a privileged entity to open
>> the file descriptor and pass it to a non-privileged entity to use. This
>> allows the non-privileged entity to function, and maintains security.
> Wen,
>
> Could you mention the use case for wanting to write files there? Looking
> at the patches you had sent for COLO and Remus they use an file descriptor - so
> what is the use-case here?
This is a bug in existing code. It is not a COLO specific issue.
The current protocol for live migration requires Qemu to write its save
file here.
Until this issue is resolved, live migration is inoperable with Qemu
running as a non-root user.
~Andrew
next prev parent reply other threads:[~2016-01-26 0:00 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-30 1:39 [PATCH 0/5] migration/remus: bug fix and cleanup Wen Congyang
2015-12-30 1:39 ` [PATCH 1/5] remus: don't call stream_continue() when doing failover Wen Congyang
2015-12-30 10:43 ` Andrew Cooper
2015-12-30 1:39 ` [PATCH 2/5] remus: don't write xenstore data if it fails Wen Congyang
2015-12-30 10:47 ` Andrew Cooper
2015-12-31 1:00 ` Wen Congyang
2015-12-30 1:39 ` [PATCH 3/5] tools/libxc: don't send end record if remus fails Wen Congyang
2015-12-30 11:11 ` Andrew Cooper
2015-12-31 0:49 ` Wen Congyang
2015-12-30 1:39 ` [PATCH 4/5] tools/libxl: remove unused function libxl__domain_save_device_model() Wen Congyang
2015-12-30 1:39 ` [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen Wen Congyang
2015-12-30 4:11 ` Doug Goldstein
2015-12-30 5:25 ` Wen Congyang
2015-12-30 11:00 ` Andrew Cooper
2016-01-25 20:36 ` Konrad Rzeszutek Wilk
2016-01-26 0:00 ` Andrew Cooper [this message]
2016-01-26 9:30 ` Ian Campbell
2016-01-26 17:15 ` Stefano Stabellini
2016-01-27 9:48 ` Ian Campbell
2015-12-30 10:38 ` [PATCH 0/5] migration/remus: bug fix and cleanup Andrew Cooper
2015-12-31 0:48 ` Wen Congyang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56A6B711.5010403@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=Wei.Liu2@citrix.com \
--cc=cardoe@cardoe.com \
--cc=hongyang.yang@easystack.cn \
--cc=konrad.wilk@oracle.com \
--cc=rshriram@cs.ubc.ca \
--cc=wency@cn.fujitsu.com \
--cc=xen-devel@lists.xen.org \
--cc=xiecl.fnst@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.