[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libvir] PATCH: Allow control over UNIX socket perms & group in libvirtd



When I submitted  the patches for PolicyKit[1] support a few weeks back Rich
suggested that we should have the ability to set UNIX socket permissions
and group ownership regardless. So this patch adds that ability. The default
setting is still,  group=root, and mode=0700 for R/W socket and mode=0777
for the R/O socket.

It is possible to override this via the config file

eg, Don't allow R/O monitoring

   unix_sock_ro_perms="0700"

eg, Allow any user in 'admin' group to manage VMs

   unix_sock_group="admin"
   unix_sock_rw_perms="0770"

eg, Allow anyone todo anything

   unix_sock_rw_perms="0777"


NB, the fchgrp, and fchown syscalls don't have any effect on sockets, so
to set the group ownership & desired mode, I have to play games with the
setgid() and umask() calls prior to bind(), and then restore them to their
original values.


NB, the virConf apis don't seem to recognise Octal numbers when parsing
the config file, so I've used strings for the permissions. Not a big deal
really unless someone desperately wants to fix the config file parser...

Dan.

[1] A new set of patches will be forthcoming soon...
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 
diff -r 4ba90e72c54e docs/libvir.html
--- a/docs/libvir.html	Mon Sep 17 15:13:41 2007 -0400
+++ b/docs/libvir.html	Mon Sep 17 16:53:42 2007 -0400
@@ -2192,6 +2192,53 @@ Blank lines and comments beginning with 
 </tr>
 
 <tr>
+<td> unix_sock_group <i>"groupname"</i> </td>
+<td> "root" </td>
+<td>
+  The UNIX group to own the UNIX domain socket. If the socket permissions allow
+  group access, then applications running under matching group can access the
+  socket. Only valid if running as root
+</td>
+</tr>
+
+<tr>
+<td> unix_sock_ro_perms <i>"octal-perms"</i> </td>
+<td> "0777" </td>
+<td>
+  The permissions for the UNIX domain socket for read-only client connections.
+  The default allows any user to monitor domains.
+</td>
+</tr>
+
+<tr>
+<td> unix_sock_rw_perms <i>"octal-perms"</i> </td>
+<td> "0700" </td>
+<td>
+  The permissions for the UNIX domain socket for read-write client connections.
+  The default allows only root to manage domains.
+</td>
+</tr>
+
+<tr>
+<td> mdns_adv <i>[0|1]</i> </td>
+<td> 1 (advertise with mDNS) </td>
+<td>
+  If set to 1 then the virtualization service will be advertised over
+  mDNS to hosts on the local LAN segment.
+</td>
+</tr>
+
+<tr>
+<td> mdns_name <i>"name"</i> </td>
+<td> "Virtualization Host HOSTNAME" </td>
+<td>
+  The name to advertise for this host with Avahi mDNS. The default
+  includes the machine's short hostname. This must be unique to the
+  local LAN segment.
+</td>
+</tr>
+
+<tr>
 <td> tls_no_verify_certificate <i>[0|1]</i> </td>
 <td> 0 (certificates are verified) </td>
 <td>
diff -r 4ba90e72c54e qemud/qemud.c
--- a/qemud/qemud.c	Mon Sep 17 15:13:41 2007 -0400
+++ b/qemud/qemud.c	Mon Sep 17 16:51:15 2007 -0400
@@ -48,6 +48,7 @@
 #include <getopt.h>
 #include <assert.h>
 #include <fnmatch.h>
+#include <grp.h>
 
 #include <libvirt/virterror.h>
 
@@ -71,6 +72,10 @@ static int listen_tcp = 0;
 static int listen_tcp = 0;
 static const char *tls_port = LIBVIRTD_TLS_PORT;
 static const char *tcp_port = LIBVIRTD_TCP_PORT;
+
+static gid_t unix_sock_gid = 0; /* Only root by default */
+static int unix_sock_rw_perms = 0700; /* Allow user only */
+static int unix_sock_ro_perms = 0777; /* Allow world */
 
 #if HAVE_AVAHI
 static int mdns_adv = 1;
@@ -449,6 +454,7 @@ static int qemudListenUnix(struct qemud_
     struct qemud_socket *sock = calloc(1, sizeof(struct qemud_socket));
     struct sockaddr_un addr;
     mode_t oldmask;
+    gid_t oldgrp;
 
     if (!sock) {
         qemudLog(QEMUD_ERR, "Failed to allocate memory for struct qemud_socket");
@@ -475,16 +481,19 @@ static int qemudListenUnix(struct qemud_
         addr.sun_path[0] = '\0';
 
 
-    if (readonly)
-        oldmask = umask(~(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH));
-    else
-        oldmask = umask(~(S_IRUSR | S_IWUSR));
+    oldgrp = getgid();
+    oldmask = umask(readonly ? ~unix_sock_ro_perms : ~unix_sock_rw_perms);
+    if (getuid() == 0)
+        setgid(unix_sock_gid);
+
     if (bind(sock->fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
         qemudLog(QEMUD_ERR, "Failed to bind socket to '%s': %s",
                  path, strerror(errno));
         goto cleanup;
     }
     umask(oldmask);
+    if (getuid() == 0)
+        setgid(oldgrp);
 
     if (listen(sock->fd, 30) < 0) {
         qemudLog(QEMUD_ERR, "Failed to listen for connections on '%s': %s",
@@ -1556,6 +1565,43 @@ remoteReadConfigFile (const char *filena
     p = virConfGetValue (conf, "tcp_port");
     CHECK_TYPE ("tcp_port", VIR_CONF_STRING);
     tcp_port = p ? strdup (p->str) : tcp_port;
+
+    p = virConfGetValue (conf, "unix_sock_group");
+    CHECK_TYPE ("unix_sock_group", VIR_CONF_STRING);
+    if (p && p->str) {
+        if (getuid() != 0) {
+            qemudLog (QEMUD_WARN, "Cannot set group when not running as root");
+        } else {
+            struct group *grp = getgrnam(p->str);
+            if (!grp) {
+                qemudLog (QEMUD_ERR, "Failed to lookup group '%s'", p->str);
+                return -1;
+            }
+            unix_sock_gid = grp->gr_gid;
+        }
+    }
+
+    p = virConfGetValue (conf, "unix_sock_ro_perms");
+    CHECK_TYPE ("unix_sock_ro_perms", VIR_CONF_STRING);
+    if (p && p->str) {
+        char *tmp = NULL;
+        unix_sock_ro_perms = strtol(p->str, &tmp, 8);
+        if (*tmp) {
+            qemudLog (QEMUD_ERR, "Failed to parse mode '%s'", p->str);
+            return -1;
+        }
+    }
+
+    p = virConfGetValue (conf, "unix_sock_rw_perms");
+    CHECK_TYPE ("unix_sock_rw_perms", VIR_CONF_STRING);
+    if (p && p->str) {
+        char *tmp = NULL;
+        unix_sock_rw_perms = strtol(p->str, &tmp, 8);
+        if (*tmp) {
+            qemudLog (QEMUD_ERR, "Failed to parse mode '%s'", p->str);
+            return -1;
+        }
+    }
 
 #if HAVE_AVAHI
     p = virConfGetValue (conf, "mdns_adv");

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]