[openstack-dev] Running dnsmasq in Neutron: unix rights

Kyle Mestery mestery at noironetworks.com
Mon Jun 23 16:09:43 UTC 2014


On Mon, Jun 23, 2014 at 10:10 AM, Thomas Goirand <zigo at debian.org> wrote:
> On 06/14/2014 07:26 PM, Thomas Goirand wrote:
>> Hi,
>>
>> I've been thinking for a long time on how to fix dnsmasq unix rights
>> issue in Neutron. Namely (from syslog):
>>
>> /var/lib/neutron/dhcp/{id}/host : Permission denied
>>
>> One way to fix it is to do:
>> chmod o+x /var/lib/neutron
>>
>> Though I don't feel it's the right way to do things. Wouldn't it be
>> nicer to add:
>> --user=neutron
>>
>> in spawn_process() in neutron/agent/linux/dhcp.py? I know some Debian
>> users did that, and it worked. I was tempted to add such patch, but I
>> don't think it's the right thing to do without upstream approval.
>>
>> Yet another way would be to use "adduser" and add the nobody user in the
>> neutron group, but I'm discarding that option as the least safe.
>>
>> I don't want to introduce a Debian specific security hole in my Neutron
>> package, and I am therefore seeking for advices in this list. What's the
>> safest way to fix that problem?
>>
>> Cheers,
>>
>> Thomas Goirand (zigo)
>>
>> P.S: The issue is also tracked at https://bugs.debian.org/751524, so
>> please leave 751524 at bugs.debian.org as Cc: when replying.
>
> After 10 days, nobody replied to this question... :(
>
I was hoping to get some replies from other distribution maintainers
here. Given that we haven't seen any, perhaps you could file a bug in
Launchpad and submit a patch as you indicate? That would move
discussion to gerrit and we may get some other folks with input there.

Thanks,
Kyle

> Thomas
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list