Thomas Goirand
2012-Sep-05 16:34 UTC
[Pkg-xen-devel] Bug#686778: Bug#686778: xcp-xapi: what user should xapi run as
On 09/06/2012 01:32 AM, Ritesh Raj Sarraf wrote:> Package: xcp-xapi > Version: 1.3.2-11 > Severity: normal > > We need to have a separate user/group privilege for xapi and its dependent processes. At the moment, everything runs as rootI don't think this is possible. To be able to create VMs, you need to be root in the dom0. Same for manipulating devices (eg: nic, partitions, etc.). So, would you propose to do it? Also, this is more a wishlist that upstreams implements it. I believe you'd better off discussing directly with Mike from Citrix than filling a bug in the debian BTS. Your thoughts? Thomas
Mike McClurg
2012-Sep-05 16:40 UTC
[Pkg-xen-devel] Bug#686778: Bug#686778: xcp-xapi: what user should xapi run as
On Wed, Sep 5, 2012 at 6:32 PM, Ritesh Raj Sarraf <rrs at debian.org> wrote:> Package: xcp-xapi > Version: 1.3.2-11 > Severity: normal > > We need to have a separate user/group privilege for xapi and its dependent processes. At the moment, everything runs as rootUnfortunately, with the way xapi is currently architected, we can't run it as a non-privileged user. Xapi itself makes calls to xenstore and to the hypervisor in too many places to split those bits out. In upstream xapi, we're working on splitting xapi into a few different daemons. When we finish this, we can package it for Debian such that only the daemon that makes xenstore calls and hypercalls is run as root. Because I think that it is impossible to patch 1.3.2 such that it can be run by a non-root user, I think that we should mark this bug as invalid. Do you agree? Mike
Ritesh Raj Sarraf
2012-Sep-05 17:32 UTC
[Pkg-xen-devel] Bug#686778: xcp-xapi: what user should xapi run as
Package: xcp-xapi Version: 1.3.2-11 Severity: normal We need to have a separate user/group privilege for xapi and its dependent processes. At the moment, everything runs as root -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages xcp-xapi depends on: ii hwdata 0.233-1 ii libc6 2.13-35 ii libpam0g 1.1.3-7.1 ii libuuid1 2.20.1-5.1 ii libvhd0 2.0.90-1 ii libxen-4.1 4.1.3-1 ii libxenstore3.0 4.1.3-1 ii lsb-base 4.1+Debian7 ii pciutils 1:3.1.9-5 ii python 2.7.3~rc2-1 ii python-xenapi 1.3.2-11 ii stunnel4 [stunnel] 3:4.53-1 ii xcp-eliloader 0.1-4 ii xcp-fe 0.5.2-3+b1 ii xcp-networkd 1.3.2-11 ii xcp-squeezed 1.3.2-11 ii xcp-storage-managers 0.1.1-2 ii xcp-v6d 1.3.2-11 ii xcp-xe 1.3.2-11 ii xen-hypervisor-4.1-amd64 [xen-hypervisor-4.1] 4.1.3-1 ii xen-utils-4.1 4.1.3-1 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages xcp-xapi recommends: ii cifs-utils 2:5.5-1 ii xcp-guest-templates 0.1-4 ii xcp-vncterm 0.1-2 xcp-xapi suggests no packages. -- no debconf information
Debian Bug Tracking System
2012-Sep-05 17:57 UTC
[Pkg-xen-devel] Bug#686778: marked as done (xcp-xapi: what user should xapi run as)
Your message dated Thu, 06 Sep 2012 01:52:10 +0800 with message-id <5047914A.9080502 at goirand.fr> and subject line Not realistic now, so closing has caused the Debian Bug report #686778, regarding xcp-xapi: what user should xapi run as to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 686778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686778 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Ritesh Raj Sarraf <rrs at debian.org> Subject: xcp-xapi: what user should xapi run as Date: Wed, 05 Sep 2012 23:02:04 +0530 Size: 3487 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120905/901d651a/attachment-0002.mht> -------------- next part -------------- An embedded message was scrubbed... From: Thomas Goirand <thomas at goirand.fr> Subject: Not realistic now, so closing Date: Thu, 06 Sep 2012 01:52:10 +0800 Size: 2556 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120905/901d651a/attachment-0003.mht>
Maybe Matching Threads
- Bug#655303: xcp-xapi: document network configuration in README.Debian
- Bug#655302: xcp-xapi: init script will slow down boot process
- Bug#655301: xcp-xapi fails to start
- Bug#674132: xcp-xapi: backend check error
- Bug#677614: xcp-xapi: someone should create /etc/default/xen