Linux – Setting umask of libvirt/virt-manager for proper permissions in a directory shared by host and guest

linuxpermissionsumaskvirt-managervirtual machine

I'm attempting to create a directory that is fully available to both the host and guest systems of a virt-manager/libvirt/QEMU/KVM virtual machine, with read, write and execute permissions for non-root users of both systems. Both OSes are Debian – the host is Wheezy, the guest, Jessie. I have been mostly successful, with one exception – files created within the guest OS and the shared directory are unavilable to non-root users on the host system.

The problem that I am running into is that when creating new files within the shared directory in the guest OS, virt-manager/libvirt creates them with their permissions set to 700 (full access for owner – in this case, a user called libvirt-qemu, and no permissions whatsoever for any other users or groups). Essentially, this is equivalent to the libvirt-qemu user's session umask being set to 077. This makes these files inaccessible to the host's non-root users.

The solution that I am trying to implement is to have both the libvirt-qemu user and the relevant other users on the host OS all belong to an additional new, secondary user group called vmshares, and have the shared directory owned by the vmshares group, with the SGID bit set to have all of its contents to also be owned by vmshares – which should accomplish what I want. However, I cannot seem to get virt-manager to create new files within the host shared directory with any umask except 077, when I need it to be using 007, so that these files also grant full permissions to members of the vmshares group.

I have tried creating a new file, /etc/pam.d/libvirt with the following contents, to implement the umask policy for the libvirt-qemu user:

libvirtd session requisite pam_umask.so umask=0007

I have also attempted to create a .profile file in /var/lib/libvirt/ with just the following line:

umask 007

I have also tried adding that line near the top of the libvirt-bin init script in /etc/init.d/libvirt-bin.

virt-manager/libvirt seems to ignore all of these completely.

Please, how can I accomplish my goal of having a fully usable shared directory on both the host and guest systems?

Best Answer

I realize this is a very old post but I just recently solved this exact problem by submitting patches to libvirt. Starting in libvirt v6.10, you'll be able to specify the "fmode" and "dmode" options on 9pfs shares which control the default host permissions on files and directories, respectively.

If you can't run v6.10, I found a workaround using the qemu:commandline feature of libvirt's XML domain to pass the raw QEMU flags. I wrote a blog post about how to do this but the quick version is to put something like

<commandline xmlns="http://libvirt.org/schemas/domain/qemu/1.0">
  <arg value="-fsdev"/>
  <arg value="local,security_model=mapped,id=fsdev-fs0,path=/path/to/share,fmode=0644,dmode=0755"/>
  <arg value="-device"/>
  <arg value="virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=sharename,bus=pci.6,addr=0x0"/>
</commandline>

into your domain XML as a child of "domain." The blog post goes into more detail about the values but you may need to tweak fsdev-fs0, fs0, and sharename to fit your domain.

Related Solutions

Linux Permissions – Downsides of umask 077

022 makes things convenient. 077 makes things less convenient, but depending on the circumstances and usage profile, it might not be any less convenient than having to use sudo.

I would argue that, like sudo, the actual, measurable security benefit you gain from this is negligible compared to the level of pain you inflict on yourself and your users. As a consultant, I have been scorned for my views on sudo and challenged to break numerous sudo setups, and I have yet to take more than 15 seconds to do so. Your call.

Knowing about umask is good, but it's just a single Corn Flake in the "complete breakfast". Maybe you should be asking yourself "Before I go mucking with default configs, the consistency of which will need to be maintained across installs, and which will need to be documented and justified to people who aren't dim-witted, what's this gonna buy me?"

Umask is also a bash built-in that is settable by individual users in their shell initialization files (~/.bash*), so you're not really able to easily enforce the umask. It's just a default. In other words, it's not buying you much.

Linux – Permissions issues for shared directory on a server

I'd use a different approach and share the files through an access control list on the directory.

First make sure access control lists are enabled on the filesystem where the directory resides (make sure that the corresponding entry in /etc/fstab contains acl in the fourth column). Also make sure you have the acl utilities installed (on Debian, install the acl package). Then give both users an inheritable write permission on the directory.

setfacl -m user:other_user:rwx /path/to/directory
setfacl -d -m user:other_user:rwx /path/to/directory

If there are more than two users, either repeat this command for each user (the ACL is implicit for the user who created the directory); or put the users in a group (as you already did), and use -m group:group_name:rwx in the setfacl command.

Best Answer

Related Solutions

Linux Permissions – Downsides of umask 077

Linux – Permissions issues for shared directory on a server

Related Question