From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=32886 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Pg1rE-0003P2-08 for qemu-devel@nongnu.org; Thu, 20 Jan 2011 16:15:53 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Pg1rC-0006ve-J5 for qemu-devel@nongnu.org; Thu, 20 Jan 2011 16:15:51 -0500 Received: from mail-wy0-f173.google.com ([74.125.82.173]:60176) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Pg1rC-0006vW-Az for qemu-devel@nongnu.org; Thu, 20 Jan 2011 16:15:50 -0500 Received: by wyg36 with SMTP id 36so1104336wyg.4 for ; Thu, 20 Jan 2011 13:15:49 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20110120144836.GN8675@redhat.com> References: <1295331799-23856-1-git-send-email-mohan@in.ibm.com> <1295339056-25396-1-git-send-email-mohan@in.ibm.com> <20110120085954.GB24021@stefanha-thinkpad.localdomain> <201101202011.28037.mohan@in.ibm.com> <20110120144836.GN8675@redhat.com> Date: Thu, 20 Jan 2011 21:15:49 +0000 Message-ID: Subject: Re: [Qemu-devel] [V3 PATCH 7/8] virtio-9p: Move file post creation changes to none security model From: Stefan Hajnoczi Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "M. Mohan Kumar" Cc: qemu-devel@nongnu.org On Thu, Jan 20, 2011 at 2:48 PM, Daniel P. Berrange w= rote: > On Thu, Jan 20, 2011 at 08:11:27PM +0530, M. Mohan Kumar wrote: >> On Thursday 20 January 2011 2:29:54 pm Stefan Hajnoczi wrote: >> > On Tue, Jan 18, 2011 at 01:54:16PM +0530, M. Mohan Kumar wrote: >> >> > > - =A0 =A0if (lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gi= d) < 0) { >> > > - =A0 =A0 =A0 =A0/* >> > > - =A0 =A0 =A0 =A0 * If we fail to change ownership and if we are >> > > - =A0 =A0 =A0 =A0 * using security model none. Ignore the error >> > > - =A0 =A0 =A0 =A0 */ >> > > - =A0 =A0 =A0 =A0if (fs_ctx->fs_sm !=3D SM_NONE) { >> > > - =A0 =A0 =A0 =A0 =A0 =A0return -1; >> > > - =A0 =A0 =A0 =A0} >> > > - =A0 =A0} >> > > + =A0 =A0retval =3D lchown(rpath(fs_ctx, path), credp->fc_uid, credp= ->fc_gid); >> > > >> > > =A0 =A0 =A0return 0; >> > > >> > > =A0} >> > >> > retval is unused. >> > >> >> That was used to disable the warning message "error: ignoring return val= ue of >> =91lchown=92, declared with attribute warn_unused_result" >> >> Otherwise I have to use >> if (lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid)) { >> =A0 =A0 =A0 ; >> } >> >> > Can multiple virtio-9p requests execute at a time? =A0chmod() and lcho= wn() >> > after creation is a race condition if other requests can execute >> > concurrently. >> > >> >> We can't implement file creation with requested user credentials and per= mission >> bits in the none security model atomically. Its expected behaviour only > > Well you could do the nasty trick of forking a child process > and doing setuid/gid in that and then creating the file before > letting the parent continue. > > =A0if ((pid =3D fork()) =3D=3D 0) { > =A0 =A0 setuid(fc_uid); > =A0 =A0 setgid(fc_gid); > =A0 =A0 fd =3Dopen("foo", O_CREAT); > =A0 =A0 close(fd); > =A0} else { > =A0 =A0 waitpid(pid); > =A0} > > This kind of approach is in fact required if you want to > be able to create files with a special uid/gid on a root > squashing NFS server, because otherwise your QEMU running > as root will have its files squashed to 'nobody' when initially > created, and lchown will fail with EPERM. =A0You might decide > that root squashing NFS is too painful to care about supporting > though :-) I was thinking about this approach and it's similar to the chroot helper process, but this time you have a helper process that does umask/setgid/setuid as necessary. Performance will be bad but there's really no way around this. Either implement something that works 90% of the time only but runs a bit faster or implement something that works all the time but runs slow. It's not a nice trade-off. Stefan