Pkg xen devel - Sep 2012 - Bug#686778: xcp-xapi: what user should xapi run as

On 09/06/2012 01:32 AM, Ritesh Raj Sarraf wrote:
> Package: xcp-xapi
> Version: 1.3.2-11
> Severity: normal
> 
> We need to have a separate user/group privilege for xapi and its dependent
processes. At the moment, everything runs as root
I don't think this is possible. To be able to create VMs, you need to be
root in the dom0. Same for manipulating devices (eg: nic, partitions,
etc.). So, would you propose to do it?

Also, this is more a wishlist that upstreams implements it. I believe
you'd better off discussing directly with Mike from Citrix than filling
a bug in the debian BTS.

Your thoughts?

Thomas

On Wed, Sep 5, 2012 at 6:32 PM, Ritesh Raj Sarraf <rrs at debian.org>
wrote:
> Package: xcp-xapi
> Version: 1.3.2-11
> Severity: normal
>
> We need to have a separate user/group privilege for xapi and its dependent
processes. At the moment, everything runs as root
Unfortunately, with the way xapi is currently architected, we can't
run it as a non-privileged user. Xapi itself makes calls to xenstore
and to the hypervisor in too many places to split those bits out. In
upstream xapi, we're working on splitting xapi into a few different
daemons. When we finish this, we can package it for Debian such that
only the daemon that makes xenstore calls and hypercalls is run as
root.

Because I think that it is impossible to patch 1.3.2 such that it can
be run by a non-root user, I think that we should mark this bug as
invalid. Do you agree?

Mike

Package: xcp-xapi
Version: 1.3.2-11
Severity: normal

We need to have a separate user/group privilege for xapi and its dependent
processes. At the moment, everything runs as root

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xcp-xapi depends on:
ii  hwdata                                         0.233-1
ii  libc6                                          2.13-35
ii  libpam0g                                       1.1.3-7.1
ii  libuuid1                                       2.20.1-5.1
ii  libvhd0                                        2.0.90-1
ii  libxen-4.1                                     4.1.3-1
ii  libxenstore3.0                                 4.1.3-1
ii  lsb-base                                       4.1+Debian7
ii  pciutils                                       1:3.1.9-5
ii  python                                         2.7.3~rc2-1
ii  python-xenapi                                  1.3.2-11
ii  stunnel4 [stunnel]                             3:4.53-1
ii  xcp-eliloader                                  0.1-4
ii  xcp-fe                                         0.5.2-3+b1
ii  xcp-networkd                                   1.3.2-11
ii  xcp-squeezed                                   1.3.2-11
ii  xcp-storage-managers                           0.1.1-2
ii  xcp-v6d                                        1.3.2-11
ii  xcp-xe                                         1.3.2-11
ii  xen-hypervisor-4.1-amd64 [xen-hypervisor-4.1]  4.1.3-1
ii  xen-utils-4.1                                  4.1.3-1
ii  zlib1g                                         1:1.2.7.dfsg-13

Versions of packages xcp-xapi recommends:
ii  cifs-utils           2:5.5-1
ii  xcp-guest-templates  0.1-4
ii  xcp-vncterm          0.1-2

xcp-xapi suggests no packages.

-- no debconf information

Your message dated Thu, 06 Sep 2012 01:52:10 +0800
with message-id <5047914A.9080502 at goirand.fr>
and subject line Not realistic now, so closing
has caused the Debian Bug report #686778,
regarding xcp-xapi: what user should xapi run as
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
686778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686778
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Ritesh Raj Sarraf <rrs at debian.org>
Subject: xcp-xapi: what user should xapi run as
Date: Wed, 05 Sep 2012 23:02:04 +0530
Size: 3487
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120905/901d651a/attachment-0002.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Thomas Goirand <thomas at goirand.fr>
Subject: Not realistic now, so closing
Date: Thu, 06 Sep 2012 01:52:10 +0800
Size: 2556
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120905/901d651a/attachment-0003.mht>