[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] qemu: Make sure permissions are set on VNC auto socket



On Wed, Apr 29, 2015 at 01:08:37PM -0400, Cole Robinson wrote:
On 04/29/2015 08:32 AM, Martin Kletzander wrote:
On Tue, Apr 28, 2015 at 08:13:19PM -0400, Cole Robinson wrote:
This can cause permissions failures if qemu.conf user/group is changed.


I assume the issue only exists if the socket already exists, am I right?


Hmm, my commit message is bogus. I thought I had hit this issue before and
didn't actually test that it was failing, only verifying that the end result
appeared correct, which it does regardless of this patch. Sorry for the time
wasting.

Here's why it already kinda works without anything explicitly done by libvirt:
you can't bind a unix socket to an existing path, it fails with 'Address
already in use'. qemu handles this by unconditionally unlinking whatever path
is manually passed it. Then the socket bind(2) call will implicitly recreate
the passed in path. In the auto VNC case this effectively causes the
permissions to be reset automagically: qemu can write to the parent
/var/lib/libvirt/qemu directory, and the new socket gets proper user/group
(from the qemu runtime user) and selinux label (from the parent directory)

That said, what _will_ fail is if the user specified an explicit VNC socket
path, but the parent directory was not writeable by qemu. Even if the socket
path is readable/writeable by the user. Kinda confusing but not sure if anyone
cares in practice. FWIW this is true of any usage of qemu's unix: handling.


Since it needs to unlink and create the socket, it must have the
permissions to do so in that respective directory.  As with disks
etc., user is responsible for that unless it is auto-generated path.
We cannot change the permissions on all parent directories.  It's
definitely worth mentioning that somewhere around the VNC socket stuff
in the documentation.

So this patch doesn't add much... I'll drop it.

There are a few other issues WRT VNC unix handling though:

- Default listen address is still added to the runtime XML, though not to qemu CLI


I remember that when I was checking the code most of the conditions
weren't exclusive, the only thing where using a socket effectively
disabled listening was the command line preparation.  I agree that all
the parts should be in sync and not just try initializing and setting
everything unconditionally.

- VNC sockets are left on disk after qemu shuts down... It's unclear what the
fix is though. Maybe qemu should register an atexit handler to clean up unix
sockets, since its the one that's actually creating them. Or maybe leave it as
it is since it might cause user confusion with manually specific paths.


How is it done with monitor sockets?  We are cleaning them in libvirt
if we get the chance, right?  That should be the same case with
chardev channel sockets and everything else.  Even VNC sockets.

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]