spec: Fix permissions of /var/run/libvirt/qemu

[libvirt] [PATCH] spec: Fix permissions of /var/run/libvirt/qemu

Posted by Jiri Denemark 4 years, 11 months ago

While libvirtd creates this directory with the default 0755 mode, the
spec file stores 0700 in the RPM database. Thus RPM verification always
complains about this directory. Let's fix the spec file to match
reality.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---

Notes:
    Alternatively, we could change libvirt to create the directory with
    0700 (instead of 0755), but all other drivers use 0755 (both in
    reality and in the spec file) and 0700 wouldn't really enhance
    security anyway.

 libvirt.spec.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 970d2742ac..dc69920d75 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1661,7 +1661,7 @@ exit 0
 %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
 %config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
-%ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
+%ghost %dir %{_localstatedir}/run/libvirt/qemu/
 %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
 %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
 %{_datadir}/augeas/lenses/libvirtd_qemu.aug
-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] spec: Fix permissions of /var/run/libvirt/qemu

Posted by Martin Kletzander 4 years, 11 months ago

On Thu, May 23, 2019 at 03:07:05PM +0200, Jiri Denemark wrote:
>While libvirtd creates this directory with the default 0755 mode, the
>spec file stores 0700 in the RPM database. Thus RPM verification always
>complains about this directory. Let's fix the spec file to match
>reality.
>
>Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
>---
>
>Notes:
>    Alternatively, we could change libvirt to create the directory with
>    0700 (instead of 0755), but all other drivers use 0755 (both in
>    reality and in the spec file) and 0700 wouldn't really enhance
>    security anyway.
>

It would also not work because domains would not be able to get to any file in
there (like qemu agent socket, etc.)

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>

> libvirt.spec.in | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/libvirt.spec.in b/libvirt.spec.in
>index 970d2742ac..dc69920d75 100644
>--- a/libvirt.spec.in
>+++ b/libvirt.spec.in
>@@ -1661,7 +1661,7 @@ exit 0
> %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
> %config(noreplace) %{_sysconfdir}/libvirt/qemu-lockd.conf
> %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu
>-%ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/
>+%ghost %dir %{_localstatedir}/run/libvirt/qemu/
> %dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/
> %dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/cache/libvirt/qemu/
> %{_datadir}/augeas/lenses/libvirtd_qemu.aug
>-- 
>2.21.0
>
>--
>libvir-list mailing list
>libvir-list@redhat.com
>https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list