[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] PATCH: Allow control over UNIX socket perms & group in libvirtd



On Tue, Sep 18, 2007 at 05:38:09AM +0100, Daniel P. Berrange wrote:
> When I submitted  the patches for PolicyKit[1] support a few weeks back Rich
> suggested that we should have the ability to set UNIX socket permissions
> and group ownership regardless. So this patch adds that ability. The default
> setting is still,  group=root, and mode=0700 for R/W socket and mode=0777
> for the R/O socket.
> 
> It is possible to override this via the config file
> 
> eg, Don't allow R/O monitoring
> 
>    unix_sock_ro_perms="0700"
> 
> eg, Allow any user in 'admin' group to manage VMs
> 
>    unix_sock_group="admin"
>    unix_sock_rw_perms="0770"
> 
> eg, Allow anyone todo anything
> 
>    unix_sock_rw_perms="0777"
> 
> 
> NB, the fchgrp, and fchown syscalls don't have any effect on sockets, so
> to set the group ownership & desired mode, I have to play games with the
> setgid() and umask() calls prior to bind(), and then restore them to their
> original values.
> 
> 
> NB, the virConf apis don't seem to recognise Octal numbers when parsing
> the config file, so I've used strings for the permissions. Not a big deal
> really unless someone desperately wants to fix the config file parser...
[...]
> +static gid_t unix_sock_gid = 0; /* Only root by default */
> +static int unix_sock_rw_perms = 0700; /* Allow user only */
> +static int unix_sock_ro_perms = 0777; /* Allow world */
[...]
> -    if (readonly)
> -        oldmask = umask(~(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH));
> -    else
> -        oldmask = umask(~(S_IRUSR | S_IWUSR));
> +    oldgrp = getgid();
> +    oldmask = umask(readonly ? ~unix_sock_ro_perms : ~unix_sock_rw_perms);
> +    if (getuid() == 0)
> +        setgid(unix_sock_gid);
> +

   Looks fine but we went from the full macros definition to the pre
digested octal value. But I'm not old enough to really care :-)

  +1

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]