From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen Date: Tue, 26 Jan 2016 00:00:17 +0000 Message-ID: <56A6B711.5010403@citrix.com> References: <1451439588-25310-1-git-send-email-wency@cn.fujitsu.com> <1451439588-25310-6-git-send-email-wency@cn.fujitsu.com> <5683597A.5090203@cardoe.com> <56836ACA.6070507@cn.fujitsu.com> <5683B964.3000809@citrix.com> <20160125203639.GA14977@char.us.oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20160125203639.GA14977@char.us.oracle.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Konrad Rzeszutek Wilk Cc: Changlong Xie , Wei Liu , "Ian.Campbell@citrix.com" , Wen Congyang , Ian Jackson , Doug Goldstein , xen devel , Shriram Rajagopalan , Yang Hongyang List-Id: xen-devel@lists.xenproject.org On 25/01/2016 20:36, Konrad Rzeszutek Wilk wrote: > On Wed, Dec 30, 2015 at 11:00:52AM +0000, Andrew Cooper wrote: >> On 30/12/2015 05:25, Wen Congyang wrote: >>> On 12/30/2015 12:11 PM, Doug Goldstein wrote: >>>> On 12/29/15 8:39 PM, Wen Congyang wrote: >>>>> We may use non-root user to run qemu, and the qemu needs to write >>>>> save file to /var/lib/xen. So we should allow all user to create >>>>> a file under the directory /var/lib/xen >>>>> >>>>> Signed-off-by: Wen Congyang >>>>> --- >>>>> tools/Makefile | 2 +- >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>> >>>>> diff --git a/tools/Makefile b/tools/Makefile >>>>> index 820ca40..402b417 100644 >>>>> --- a/tools/Makefile >>>>> +++ b/tools/Makefile >>>>> @@ -60,7 +60,7 @@ build all: subdirs-all >>>>> install: subdirs-install >>>>> $(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR) >>>>> $(INSTALL_DIR) $(DESTDIR)/var/log/xen >>>>> - $(INSTALL_DIR) $(DESTDIR)/var/lib/xen >>>>> + $(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen >>>>> .PHONY: uninstall >>>>> uninstall: D=$(DESTDIR) >>>>> >>>> I could be wrong but this doesn't seem like something that you'd want to >>>> do given what's stored in there. Could you do something with permissions >>>> on sub-directories to achieve what you need? >>>> >>> The save file's path is: >>> #define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /* .$domid */ >>> >>> So all user must have write permission on the directory /var/lib/xen/, otherwise, >>> the migration will fail. >> For now, I would avoid running qemu as a non-root user. It doesn't gain you >> any meaninful security at present (at the expense of a warning which can't >> be turned off). >> >> As to this bug, marking the directory 0777 is not an option, as save records >> necessarily contain sensitive data. >> >> Longterm, (and already identified in one of the threads in the past), the >> best course of action is to switch away from having files, and passing file >> descriptors instead. This is more flexible (currently libxl can't function >> on a read-only root filesystem), and would allow a privileged entity to open >> the file descriptor and pass it to a non-privileged entity to use. This >> allows the non-privileged entity to function, and maintains security. > Wen, > > Could you mention the use case for wanting to write files there? Looking > at the patches you had sent for COLO and Remus they use an file descriptor - so > what is the use-case here? This is a bug in existing code. It is not a COLO specific issue. The current protocol for live migration requires Qemu to write its save file here. Until this issue is resolved, live migration is inoperable with Qemu running as a non-root user. ~Andrew