I want qemu to access user1 (my) files. So he(qemu) can access my mounted drive (partition - EXT4) too.
NOTE-1:
I want to just run VM. qemu cant access the storage file. “chmod 777” also is not enough because (as you can check if you use Fedora) “/run/media/user1/partition1” is only readable by “root” and “user1”. I don’t want to mess up with Fedora managed directories permissions. I want a very simple solution.
NOTE-2:
user is under user1 group.
qemu is under qemu group.
NOTE-3:
I cant believe that Im asking this. I could not be able to give a user (qemu) to access spesific file. It getting complex. For weeks I am researching this as developer. Am I missing something?..
You are right. That was my mistake. If you want write access to the files and directories though, I think you will have to grant your group (user1) write access on the file permissions.
Demo:
[glb@localhost ~]$ mkdir /tmp/test
[glb@localhost ~]$ ls -ld /tmp/test
drwxr-xr-x. 2 glb glb 40 Dec 17 19:28 /tmp/test
[glb@localhost ~]$ sudo -u qemu test -w /tmp/test || echo failed
failed
[glb@localhost ~]$ sudo -u qemu id -Gn
qemu kvm
[glb@localhost ~]$ sudo groupmod -a -U qemu glb
[glb@localhost ~]$ sudo -u qemu id -Gn
qemu kvm glb
[glb@localhost ~]$ sudo -u qemu test -w /tmp/test || echo failed
failed
[glb@localhost ~]$ ls -ld /tmp/test
drwxr-xr-x. 2 glb glb 40 Dec 17 19:28 /tmp/test
[glb@localhost ~]$ sudo chmod g+w /tmp/test
[glb@localhost ~]$ ls -ld /tmp/test
drwxrwxr-x. 2 glb glb 40 Dec 17 19:28 /tmp/test
[glb@localhost ~]$ sudo -u qemu test -w /tmp/test || echo failed
[glb@localhost ~]$
Edit:
BTW, it is usually unnecessary to add the user to their own usergroup. The group that has the same name as the user should already be associated. It will (normally) be their “primary” group (the fourth field in the output of genent passwd <user> or the output of id -gn <user>).
Here I could not see “user1 (user)” on the group list I panicked and I add “user1(user)” to “user1 (group)” intentionally:
So I run this command:
sudo usermod -aG user1 user1
And then I wrote you my last message on this forum.
Thank you
But I still can’t solve my issue. I mean what is the simplest way (and best-practice) to give a specific user (in my case “qemu”) the permissions of this dir:
What you are attempting to do sounds correct. “simple” is a bit subjective. How simple something will be depends somewhat on what you are familiar with. That said, security is one of the most non-trivial aspects of operating systems. And it tends to get more complex with time as more and more “layers” are added (e.g. SELinux).
One thing to be aware of is that the user will need to have traverse permission on all the directories above the file you are attempting to grant them access to. The xs in the first column of the output of ls -l have different meanings depending on whether what is being listed is a file or a directory. For files, the x grants execute permission, but for directories, the x grants traverse permission (meaning the user or group that has the permission might be able to access the existing content in the directory even if they don’t have permission to list the existing files/directories r or add new files/directories w).
Also, be aware that if the command is running in the background as a service, you might need to restart the service for the configuration change to take effect.
That might be the fundamental problem. The OS might not be designed to do exactly what you are trying to do. In times past, people would often just mount external storage temporarily to /mnt (things were simpler back then ).
You won’t be able to “cheat” the permissions with a symlink. The OS is more clever than that.
But nothing changed. Because I think (as @glb mentioned), the issue is about parent directories. And we cant touch the parent directories because we don’t want to mess up with OS managed directories.
Maybe the only way is to give all permissions of “user1 (user)” to “qemu (user)”. But I don’t know how to do.
The way to do that would probably be to run the qemu process as the user1 user. You should be able to use a command like ps -e -o user,group,command | grep qemu to verify what user and group the qemu* command(s) are running with.
Ideally, it should be an LVM-based pool or a dedicated partition/volume/subvolume mounted to /var/lib/libvirt/images, otherwise mount your disk under /mnt/data and create a new pool targeting the appropriate directory.