[Xen-devel] Re: [Xen-changelog] Set the permissions correctly on

To:	xen-devel@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-devel] Re: [Xen-changelog] Set the permissions correctly on the XML-RPC UDP socket, so that non-root users
From:	Anthony Liguori <aliguori@xxxxxxxxxx>
Date:	Fri, 31 Mar 2006 08:36:45 -0600
Cc:	Ewan Mellor <ewan@xxxxxxxxxxxxx>
Delivery-date:	Fri, 31 Mar 2006 14:38:36 +0000
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<E1FP85Y-00078n-Gr@xxxxxxxxxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<E1FP85Y-00078n-Gr@xxxxxxxxxxxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mail/News 1.5 (X11/20060309)

Did you see this failure after changing the socket location to/var/run/xend/xml-rpc.sock? The only way the permissions of/var/run/xend-xmlrpc.sock should be non-root is if /var/run has non rootpermissions. Was that the case?


Regards,

Anthony Liguoir

Xen patchbot -unstable wrote:

# HG changeset patch
# User emellor@xxxxxxxxxxxxxxxxxxxxxx
# Node ID 53ded2201b7f9737faa4edffd86a870e56b2d704
# Parent  601d0229a40e2de9a3cc3dec9e855d8b56b5a890
Set the permissions correctly on the XML-RPC UDP socket, so that non-root users
cannot use the socket.

This closes a security hole, and fixes the intermittent failure
of xm-test/06_list_nonroot.test.

c.f. xen-unstable changeset 9205:faa1eb1621b9 (same bug, different socket).

Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx>

diff -r 601d0229a40e -r 53ded2201b7f tools/python/xen/util/xmlrpclib2.py
--- a/tools/python/xen/util/xmlrpclib2.py       Thu Mar 30 23:10:54 2006
+++ b/tools/python/xen/util/xmlrpclib2.py       Thu Mar 30 23:13:33 2006
@@ -23,7 +23,7 @@
 from httplib import HTTPConnection, HTTP
 from xmlrpclib import Transport
 from SimpleXMLRPCServer import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler
-import xmlrpclib, socket, os
+import xmlrpclib, socket, os, stat
 import SocketServer

import xen.xend.XendClient

@@ -105,10 +105,13 @@
     address_family = socket.AF_UNIX

def __init__(self, addr, logRequests):

-        if self.allow_reuse_address:
-            try:
+        parent = os.path.dirname(addr)
+        if os.path.exists(parent):
+            os.chown(parent, os.geteuid(), os.getegid())
+            os.chmod(parent, stat.S_IRWXU)
+            if self.allow_reuse_address and os.path.exists(addr):
                 os.unlink(addr)
-            except OSError, exc:
-                pass
+        else:
+            os.makedirs(parent, stat.S_IRWXU)
         TCPXMLRPCServer.__init__(self, addr, UnixXMLRPCRequestHandler,
                                  logRequests)
diff -r 601d0229a40e -r 53ded2201b7f tools/python/xen/xend/XendClient.py
--- a/tools/python/xen/xend/XendClient.py       Thu Mar 30 23:10:54 2006
+++ b/tools/python/xen/xend/XendClient.py       Thu Mar 30 23:13:33 2006
@@ -19,10 +19,10 @@

from xen.util.xmlrpclib2 import ServerProxy-XML_RPC_SOCKET = "/var/run/xend-xmlrpc.sock"

+XML_RPC_SOCKET = "/var/run/xend/xmlrpc.sock"

ERROR_INTERNAL = 1

 ERROR_GENERIC = 2
 ERROR_INVALID_DOMAIN = 3

-server = ServerProxy('httpu:///var/run/xend-xmlrpc.sock')

+server = ServerProxy('httpu:///var/run/xend/xmlrpc.sock')

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

[Xen-devel] Re: [Xen-changelog] Set the permissions correctly on the XML