[5/5] Allow all user to create a file under the directory /var/lib/xen
diff mbox

Message ID alpine.DEB.2.02.1601261605300.3619@kaball.uk.xensource.com
State New, archived
Headers show

Commit Message

Stefano Stabellini Jan. 26, 2016, 5:15 p.m. UTC
On Tue, 26 Jan 2016, Ian Campbell wrote:
> On Tue, 2016-01-26 at 00:00 +0000, Andrew Cooper wrote:
> > On 25/01/2016 20:36, Konrad Rzeszutek Wilk wrote:
> > > On Wed, Dec 30, 2015 at 11:00:52AM +0000, Andrew Cooper wrote:
> > > > On 30/12/2015 05:25, Wen Congyang wrote:
> > > > > On 12/30/2015 12:11 PM, Doug Goldstein wrote:
> > > > > > On 12/29/15 8:39 PM, Wen Congyang wrote:
> > > > > > > We may use non-root user to run qemu, and the qemu needs to
> > > > > > > write
> > > > > > > save file to /var/lib/xen. So we should allow all user to
> > > > > > > create
> > > > > > > a file under the directory /var/lib/xen
> > > > > > > 
> > > > > > > Signed-off-by: Wen Congyang <wency@cn.fujitsu.com>
> > > > > > > ---
> > > > > > >  tools/Makefile | 2 +-
> > > > > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > > > 
> > > > > > > diff --git a/tools/Makefile b/tools/Makefile
> > > > > > > index 820ca40..402b417 100644
> > > > > > > --- a/tools/Makefile
> > > > > > > +++ b/tools/Makefile
> > > > > > > @@ -60,7 +60,7 @@ build all: subdirs-all
> > > > > > >  install: subdirs-install
> > > > > > >  	$(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR)
> > > > > > >  	$(INSTALL_DIR) $(DESTDIR)/var/log/xen
> > > > > > > -	$(INSTALL_DIR) $(DESTDIR)/var/lib/xen
> > > > > > > +	$(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen
> > > > > > >  .PHONY: uninstall
> > > > > > >  uninstall: D=$(DESTDIR)
> > > > > > > 
> > > > > > I could be wrong but this doesn't seem like something that you'd
> > > > > > want to
> > > > > > do given what's stored in there. Could you do something with
> > > > > > permissions
> > > > > > on sub-directories to achieve what you need?
> > > > > > 
> > > > > The save file's path is:
> > > > > #define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /*
> > > > > .$domid */
> > > > > 
> > > > > So all user must have write permission on the directory
> > > > > /var/lib/xen/, otherwise,
> > > > > the migration will fail.
> > > > For now, I would avoid running qemu as a non-root user.  It doesn't
> > > > gain you
> > > > any meaninful security at present (at the expense of a warning which
> > > > can't
> > > > be turned off).
> > > > 
> > > > As to this bug, marking the directory 0777 is not an option, as save
> > > > records
> > > > necessarily contain sensitive data.
> > > > 
> > > > Longterm, (and already identified in one of the threads in the past),
> > > > the
> > > > best course of action is to switch away from having files, and
> > > > passing file
> > > > descriptors instead.  This is more flexible (currently libxl can't
> > > > function
> > > > on a read-only root filesystem), and would allow a privileged entity
> > > > to open
> > > > the file descriptor and pass it to a non-privileged entity to
> > > > use.  This
> > > > allows the non-privileged entity to function, and maintains security.
> > > Wen,
> > > 
> > > Could you mention the use case for wanting to write files there?
> > > Looking
> > > at the patches you had sent for COLO and Remus they use an file
> > > descriptor - so
> > > what is the use-case here?
> > 
> > This is a bug in existing code.  It is not a COLO specific issue.
> > 
> > The current protocol for live migration requires Qemu to write its save
> > file here.
> > 
> > Until this issue is resolved, live migration is inoperable with Qemu
> > running as a non-root user.
> 
> Stefano, is this already on your list of issues to address?
>
> In any case creating a world writeable directory is clearly a non-starter.
> We might need the toolstack to create a directory with suitable permissions
> until we can rework things to work with fds only.

It is sufficient to create an empty save file, as returned by
libxl__device_model_savefile, with the right owner, at domain creation
time. Something like below:


This is another thing that would be easier to fix after Ian's privsep
series, because we'll have a better place for this code.

Comments

Ian Campbell Jan. 27, 2016, 9:48 a.m. UTC | #1
On Tue, 2016-01-26 at 17:15 +0000, Stefano Stabellini wrote:
> It is sufficient to create an empty save file, as returned by
> libxl__device_model_savefile, with the right owner, at domain creation
> time. Something like below:
> 
> diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
> index a088d71..f908422 100644
> --- a/tools/libxl/libxl_dm.c
> +++ b/tools/libxl/libxl_dm.c
> @@ -1285,6 +1285,12 @@ end_search:
>          if (user != NULL && strcmp(user, "root")) {
>              flexarray_append(dm_args, "-runas");
>              flexarray_append(dm_args, user);
> +
> +            const char *filename = libxl__device_model_savefile(gc, guest_domid);
> +            int fd = open(filename, O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0600);
> +            struct passwd *pw = getpwnam(user);
> +            fchown(fd, pw->pw_uid, pw->pw_gid);
> +            close(fd);
>          }
>      }
>      flexarray_append(dm_args, NULL);
> 
> This is another thing that would be easier to fix after Ian's privsep
> series, because we'll have a better place for this code.

Right.

In the meantime I think we should update at least docs/misc/qemu-
deprivilege.txt and probably docs/man/xl.cfg.pod.5:device_model_user to
mention the shortcomings of using these options if they are going to break
core functionality such as migration.

Would you knock up a patch please?

At the same time, I wonder if docs/misc/qemu-deprivilege.txt ought to move
to docs/features/ ?

Ian.

Patch
diff mbox

diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index a088d71..f908422 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -1285,6 +1285,12 @@  end_search:
         if (user != NULL && strcmp(user, "root")) {
             flexarray_append(dm_args, "-runas");
             flexarray_append(dm_args, user);
+
+            const char *filename = libxl__device_model_savefile(gc, guest_domid);
+            int fd = open(filename, O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0600);
+            struct passwd *pw = getpwnam(user);
+            fchown(fd, pw->pw_uid, pw->pw_gid);
+            close(fd);
         }
     }
     flexarray_append(dm_args, NULL);