socket is inaccessible for libvirt-dbus
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Won't Fix
|
Medium
|
Unassigned | ||
Eoan |
Won't Fix
|
Medium
|
Unassigned | ||
Hirsute |
Won't Fix
|
Undecided
|
Unassigned | ||
Jammy |
Won't Fix
|
Medium
|
Unassigned | ||
libvirt-dbus (Ubuntu) |
Fix Released
|
High
|
Martin Pitt | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Martin Pitt |
Bug Description
[Impact]
* Due to the difference in auth mechanisms between Debian (polkit)
and Ubuntu (group based) libvirt-dbus does not work as-is in
Ubuntu.
* Users would need to manually add a user to a group, but we
should make the default install experience work.
[Test Case]
# should install fine
$ sudo apt-get install libvirt-dbus
# should be avail due to dependencies and look normal (as shown here)
$ ls -l /var/run/
srw-rw---- 1 root libvirt 0 Oct 5 05:50 /var/run/
# should be part of the "libvirt" group
$ id libvirtdbus
uid=997(
# call should work
$ busctl call org.libvirt /org/libvirt/QEMU org.libvirt.Connect ListDomains u 0
bad:
Call failed: Failed to connect socket to '/var/run/
good:
ao 0
[Regression Potential]
* The change only does the group add, no regression expected except a
potential security issue. That was brought up and signed off by
security in comment #13 =>
https:/
[Other Info]
* The package also was an FTBFS which this upload fixes as well.
That change is only to the build-time self tests, so again no change to
the runtime behavior due to the changes.
This FTFBS is only present with newer libvirt, and therefore the Focal
SRU will only have the permissions change, but depending on timing the
groovy upload might become a zero day SRU hence I wanted to mention.
----
Package: libvirt-dbus
Version: 1.2.0-1
DistroRelease: Ubuntu 18.10
libvirt-dbus seems to be completely broken for the system connection:
root:~# busctl call org.libvirt /org/libvirt/QEMU org.libvirt.Connect ListDomains u 0
Failed to connect socket to '/var/run/
root:~# ls -l /var/run/
srwxrwx--- 1 root libvirt 0 Nov 6 15:15 /var/run/
root:~# ps aux|grep libvirtd
root 1434 0.0 3.4 1038028 35212 ? Ssl 15:15 0:00 /usr/sbin/libvirtd
The same happens for a user that is in the "libvirt" group.
On Fedora and also Debian testing (which has the exact same libvirt-dbus package), the socket has permissions 777 instead of 770, where it works. I don't have an idea where the wrong permissions are set.
Related branches
- Paride Legovini (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Christian Ehrhardt : Pending requested
-
Diff: 239 lines (+189/-1)7 files modifieddebian/changelog (+11/-0)
debian/control (+2/-1)
debian/patches/series (+3/-0)
debian/patches/tests-skip-CPU-pinning-test-on-libvirt-6.6.0.patch (+41/-0)
debian/patches/tests-vcpupininfo-32bit.patch (+36/-0)
debian/patches/tests-vcpupininfo-use-pytest.skip.patch (+43/-0)
debian/postinst (+53/-0)
tags: | added: cosmic |
description: | updated |
tags: | added: disco eoan |
Changed in libvirt (Ubuntu): | |
status: | Confirmed → Triaged |
importance: | Undecided → Medium |
description: | updated |
tags: | added: patch |
Changed in libvirt (Ubuntu Hirsute): | |
status: | New → Won't Fix |
Other users run into this as well: https:/ /github. com/cockpit- project/ cockpit/ issues/ 13339