From patchwork Tue Jan 26 17:15:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stefano Stabellini X-Patchwork-Id: 8125241 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 0389ABEEE5 for ; Tue, 26 Jan 2016 17:18:38 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0047520270 for ; Tue, 26 Jan 2016 17:18:37 +0000 (UTC) Received: from lists.xen.org (lists.xenproject.org [50.57.142.19]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F174920266 for ; Tue, 26 Jan 2016 17:18:35 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aO7Du-0000uA-Qz; Tue, 26 Jan 2016 17:16:10 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1aO7Dt-0000ts-LG for xen-devel@lists.xen.org; Tue, 26 Jan 2016 17:16:09 +0000 Received: from [85.158.137.68] by server-8.bemta-3.messagelabs.com id 3A/CC-24375-8D9A7A65; Tue, 26 Jan 2016 17:16:08 +0000 X-Env-Sender: prvs=826ae1113=Stefano.Stabellini@citrix.com X-Msg-Ref: server-15.tower-31.messagelabs.com!1453828566!17948232!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 7.35.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 55267 invoked from network); 26 Jan 2016 17:16:08 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-15.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 26 Jan 2016 17:16:08 -0000 X-IronPort-AV: E=Sophos;i="5.22,350,1449532800"; d="scan'208";a="334070738" Date: Tue, 26 Jan 2016 17:15:25 +0000 From: Stefano Stabellini X-X-Sender: sstabellini@kaball.uk.xensource.com To: Ian Campbell In-Reply-To: <1453800641.4320.211.camel@citrix.com> Message-ID: References: <1451439588-25310-1-git-send-email-wency@cn.fujitsu.com> <1451439588-25310-6-git-send-email-wency@cn.fujitsu.com> <5683597A.5090203@cardoe.com> <56836ACA.6070507@cn.fujitsu.com> <5683B964.3000809@citrix.com> <20160125203639.GA14977@char.us.oracle.com> <56A6B711.5010403@citrix.com> <1453800641.4320.211.camel@citrix.com> User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-ID: X-DLP: MIA2 Cc: Changlong Xie , Wei Liu , Wen Congyang , Stefano Stabellini , Andrew Cooper , Doug Goldstein , xen devel , Shriram Rajagopalan , Ian Jackson , Yang Hongyang Subject: Re: [Xen-devel] [PATCH 5/5] Allow all user to create a file under the directory /var/lib/xen X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, MIME_QP_LONG_LINE, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Tue, 26 Jan 2016, Ian Campbell wrote: > On Tue, 2016-01-26 at 00:00 +0000, Andrew Cooper wrote: > > On 25/01/2016 20:36, Konrad Rzeszutek Wilk wrote: > > > On Wed, Dec 30, 2015 at 11:00:52AM +0000, Andrew Cooper wrote: > > > > On 30/12/2015 05:25, Wen Congyang wrote: > > > > > On 12/30/2015 12:11 PM, Doug Goldstein wrote: > > > > > > On 12/29/15 8:39 PM, Wen Congyang wrote: > > > > > > > We may use non-root user to run qemu, and the qemu needs to > > > > > > > write > > > > > > > save file to /var/lib/xen. So we should allow all user to > > > > > > > create > > > > > > > a file under the directory /var/lib/xen > > > > > > > > > > > > > > Signed-off-by: Wen Congyang > > > > > > > --- > > > > > > >  tools/Makefile | 2 +- > > > > > > >  1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > > > > > diff --git a/tools/Makefile b/tools/Makefile > > > > > > > index 820ca40..402b417 100644 > > > > > > > --- a/tools/Makefile > > > > > > > +++ b/tools/Makefile > > > > > > > @@ -60,7 +60,7 @@ build all: subdirs-all > > > > > > >  install: subdirs-install > > > > > > >   $(INSTALL_DIR) -m 700 $(DESTDIR)$(XEN_DUMP_DIR) > > > > > > >   $(INSTALL_DIR) $(DESTDIR)/var/log/xen > > > > > > > - $(INSTALL_DIR) $(DESTDIR)/var/lib/xen > > > > > > > + $(INSTALL_DIR) -m 777 $(DESTDIR)/var/lib/xen > > > > > > >  .PHONY: uninstall > > > > > > >  uninstall: D=$(DESTDIR) > > > > > > > > > > > > > I could be wrong but this doesn't seem like something that you'd > > > > > > want to > > > > > > do given what's stored in there. Could you do something with > > > > > > permissions > > > > > > on sub-directories to achieve what you need? > > > > > > > > > > > The save file's path is: > > > > > #define LIBXL_DEVICE_MODEL_SAVE_FILE "/var/lib/xen/qemu-save" /* > > > > > .$domid */ > > > > > > > > > > So all user must have write permission on the directory > > > > > /var/lib/xen/, otherwise, > > > > > the migration will fail. > > > > For now, I would avoid running qemu as a non-root user.  It doesn't > > > > gain you > > > > any meaninful security at present (at the expense of a warning which > > > > can't > > > > be turned off). > > > > > > > > As to this bug, marking the directory 0777 is not an option, as save > > > > records > > > > necessarily contain sensitive data. > > > > > > > > Longterm, (and already identified in one of the threads in the past), > > > > the > > > > best course of action is to switch away from having files, and > > > > passing file > > > > descriptors instead.  This is more flexible (currently libxl can't > > > > function > > > > on a read-only root filesystem), and would allow a privileged entity > > > > to open > > > > the file descriptor and pass it to a non-privileged entity to > > > > use.  This > > > > allows the non-privileged entity to function, and maintains security. > > > Wen, > > > > > > Could you mention the use case for wanting to write files there? > > > Looking > > > at the patches you had sent for COLO and Remus they use an file > > > descriptor - so > > > what is the use-case here? > > > > This is a bug in existing code.  It is not a COLO specific issue. > > > > The current protocol for live migration requires Qemu to write its save > > file here. > > > > Until this issue is resolved, live migration is inoperable with Qemu > > running as a non-root user. > > Stefano, is this already on your list of issues to address? > > In any case creating a world writeable directory is clearly a non-starter. > We might need the toolstack to create a directory with suitable permissions > until we can rework things to work with fds only. It is sufficient to create an empty save file, as returned by libxl__device_model_savefile, with the right owner, at domain creation time. Something like below: This is another thing that would be easier to fix after Ian's privsep series, because we'll have a better place for this code. diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c index a088d71..f908422 100644 --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -1285,6 +1285,12 @@ end_search: if (user != NULL && strcmp(user, "root")) { flexarray_append(dm_args, "-runas"); flexarray_append(dm_args, user); + + const char *filename = libxl__device_model_savefile(gc, guest_domid); + int fd = open(filename, O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0600); + struct passwd *pw = getpwnam(user); + fchown(fd, pw->pw_uid, pw->pw_gid); + close(fd); } } flexarray_append(dm_args, NULL);