[Bug 691590] Re: libvirt should not take ownership of ISO images

[C de-Avillez]

@Clint: zsync does the same (writes the updated file to a temp, then
renames/unlinks/whatever -- did not check the source).

@Jamie: I just tried with qemu.conf setting user/group to root -- the
ISO gets chown-ed to root:root, 0600. So, no dice here. Nevertheless, my
whole point is it does not make much sense, security-wise, to chown a
read-only file: it is an ISO image, and it is mounted on the CDROM:

        <devices>
                <disk type='file' device='disk'>
                        <driver name='qemu' type='qcow2'/>
                        <source file='/var/lib/ubuntu-server-iso-testing/tests/819f2dd9-0041-48aa-8dfe-c5899f2cafe7/disk1.qcow2'/>
                        <target dev='vda' bus='virtio'/>
                </disk>
                <disk type='file' device='cdrom'>
                        <source file='/var/lib/ubuntu-server-iso-testing/isos/ubuntu-server/natty-server-amd64.iso'/>
                        <target dev='hdc'/><readonly/>
                </disk>
(...)
        </devices>

If the file is never chown-ed to libvirt:kvm/whatever, then there is no
race -- the file will keep the current ownership. Obviously, this does
not apply to the qcow2 disc -- there is a clear exposure there. Now, why
does libvirt in user-mode also chown the discs? I would expect the user-
mode to run under the control (and ownership, at least for the disc
images) of the effective userId that started the VM.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
https://bugs.launchpad.net/bugs/691590

Title:
  libvirt should not take ownership of ISO images