[libvirt] FYI: Updated QEMU driver docs on security model

Daniel P. Berrange berrange at redhat.com
Wed Aug 19 16:04:33 UTC 2009 

On Wed, Aug 19, 2009 at 03:01:59PM +0100, Mark McLoughlin wrote:
> On Wed, 2009-08-19 at 14:32 +0100, Daniel P. Berrange wrote:
> > FYI, I just pushed the following patch to the repo which adds documentation
> > to the website for all the security model related aspects of libvirt's
> > QEMU driver. It should appear here shortly
> > 
> >   http://libvirt.org/drvqemu.html
> 
> Looks good, mostly just typos below
> 
> ACK etc.
> 
> > +    <h3><a name="securitydac">POSIX DAC users/groups</a></h3>
> > +
> > +    <p>
> > +      In the "session" instance, the POSIX DAC model restricts QEMU virtual
> 
> Should expand the acronym, it's pretty obscure

Actually they really served little purpose, so i just removed the
acronyms entirely.


> > +          The directories <code>/var/run/libvirt/qemu/</code>,
> > +          <code>/var/lib/libvirt/qemu/</code> and
> > +          <code>/var/cache/libvirt/qemu/</code> must all have their
> > +          ownership set to match the user / group ID that QEMU
> > +          guests will be run as. If the vendor has set a non-root
> > +          user/group for the QEMU driver at build time, the
> > +          permissions should be set automatically at install time.
> > +          If a host administrator customizes user/group in
> > +          <code>/etc/libvirt/qemu.conf</code>, they will need to
> > +          manually set the ownership on these directories.
> 
> It's good to have this documented, but I'd much prefer us to handle it
> automatically
> 
> e.g. libvirtd knows that if the permissions on the dir is wrong, the
> guest won't start
> 
> So, it could warn the user, or create an alternative directory and chown
> it or ...

Yeah, after reading this now I think you're right. We should simply make
libvirtd QEMU driver chown the directories it uses when the driver starts
up, to match the configured user/group. For a default install this would
be a no-op since RPM would have got it right. And it saves pain in the
non-default case

Daniel

-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list