[Pkg-libvirt-maintainers] Bug#762606: libvirt-daemon-system: there shouldn't be to places for the socket configuration

Christoph Anton Mitterer calestyo at scientia.net
Tue Sep 23 16:55:59 UTC 2014 

Package: libvirt-daemon-system
Version: 1.2.8-2
Severity: normal
Tags: security


Hi.

That:
# Beware that if you are changing *any* of these options, and you use
# socket activation with systemd, you need to adjust the settings in
# the libvirtd.socket file as well since it could impose a security
# risk if you rely on file permission checking only.

sound really like an ugly hack,... and IMHO it just leads to security
issues, when people don't read this (automatic upgrades), or when
there are inconsistencies for other reasons.
Even the default seem to have a mismatch:
unix_sock_group = "libvirt"
vs.
SocketGroup=root


Can't the systemd unit file be made dynamic to read the values from
the config file?
Not sure if this is possible in normal unit files, but it should
definitely work with generators.


Cheers,
Chris.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libvirt-daemon-system depends on:
ii  adduser              3.113+nmu3
ii  gettext-base         0.19.2-2
ii  init-system-helpers  1.21
ii  libapparmor1         2.8.0-8
ii  libaudit1            1:2.4-1
ii  libavahi-client3     0.6.31-4
ii  libavahi-common3     0.6.31-4
ii  libblkid1            2.20.1-5.8
ii  libc6                2.19-11
ii  libcap-ng0           0.7.4-2
ii  libdbus-1-3          1.8.8-1
ii  libdevmapper1.02.1   2:1.02.90-1
ii  libgnutls-deb0-28    3.3.8-2
ii  libnl-3-200          3.2.24-2
ii  libnl-route-3-200    3.2.24-2
ii  libnuma1             2.0.10~rc2-2
ii  librados2            0.80.5-2
ii  librbd1              0.80.5-2
ii  libsasl2-2           2.1.26.dfsg1-11
ii  libselinux1          2.3-2
ii  libssh2-1            1.4.3-4
ii  libsystemd0          215-4
ii  libvirt-clients      1.2.8-2
ii  libvirt-daemon       1.2.8-2
ii  libvirt0             1.2.8-2
ii  libxml2              2.9.1+dfsg1-4
ii  libyajl2             2.1.0-2
ii  logrotate            3.8.7-1

Versions of packages libvirt-daemon-system recommends:
ii  bridge-utils  1.5-9
ii  dmidecode     2.12-3
ii  dnsmasq-base  2.71-1
ii  ebtables      2.0.10.4-3
ii  iproute2      3.16.0-2
ii  iptables      1.4.21-2
ii  parted        3.2-6
ii  pm-utils      1.4.1-15

Versions of packages libvirt-daemon-system suggests:
pn  apparmor     <none>
pn  auditd       <none>
ii  policykit-1  0.105-6.1
pn  radvd        <none>
ii  systemd      215-4
pn  systemtap    <none>

-- Configuration Files:
/etc/default/libvirt-guests changed [not included]
/etc/libvirt/libvirtd.conf changed [not included]
/etc/libvirt/lxc.conf changed [not included]
/etc/libvirt/qemu.conf [Errno 13] Permission denied: u'/etc/libvirt/qemu.conf'

-- no debconf information

More information about the Pkg-libvirt-maintainers mailing list