Permission to write a file under the same group not work

getent group user1

prints:

user1:x:1000:qemu,user1

From now on, “qemu” can do anything I (user1) do.

But this command returns true:

sudo -u user1 test -w ‘/run/media/user1/partition1/storages/storage1.vmdk’ && echo “true” || echo “false”

This command returns false:

sudo -u qemu test -w ‘/run/media/user1/partition1/storages/storage1.vmdk’ && echo “true” || echo “false”

Just because of this libvirt (which use “qemu” user) can not start VM with that storage. What am I doing wrong?

Thank you

You’ve got it the wrong way around. :slightly_smiling_face: You need to add user1 to the qemu group.

Edit: My mistake. See my response below for a demo.

Consider using session mode as it works with user privileges:
Access / change floppy images in Gnome Boxes - #2 by vgaetera

1 Like

No :slight_smile: @glb

I want qemu to access user1 (my) files. So he(qemu) can access my mounted drive (partition - EXT4) too.

NOTE-1:

I want to just run VM. qemu cant access the storage file. “chmod 777” also is not enough because (as you can check if you use Fedora) “/run/media/user1/partition1” is only readable by “root” and “user1”. I don’t want to mess up with Fedora managed directories permissions. I want a very simple solution.

NOTE-2:

  • user is under user1 group.
  • qemu is under qemu group.

NOTE-3:

I cant believe that Im asking this. I could not be able to give a user (qemu) to access spesific file. It getting complex. For weeks I am researching this as developer. Am I missing something?..

@vgaetera I need system session because:

  • I had problem to mount some USB (and/or embeeded) devices
  • and it does not work with all network connectors.

With system session I don’t have any limit.

You are right. That was my mistake. If you want write access to the files and directories though, I think you will have to grant your group (user1) write access on the file permissions.

Demo:

[glb@localhost ~]$ mkdir /tmp/test
[glb@localhost ~]$ ls -ld /tmp/test
drwxr-xr-x. 2 glb glb 40 Dec 17 19:28 /tmp/test
[glb@localhost ~]$ sudo -u qemu test -w /tmp/test || echo failed
failed
[glb@localhost ~]$ sudo -u qemu id -Gn
qemu kvm
[glb@localhost ~]$ sudo groupmod -a -U qemu glb
[glb@localhost ~]$ sudo -u qemu id -Gn
qemu kvm glb
[glb@localhost ~]$ sudo -u qemu test -w /tmp/test || echo failed
failed
[glb@localhost ~]$ ls -ld /tmp/test
drwxr-xr-x. 2 glb glb 40 Dec 17 19:28 /tmp/test
[glb@localhost ~]$ sudo chmod g+w /tmp/test
[glb@localhost ~]$ ls -ld /tmp/test
drwxrwxr-x. 2 glb glb 40 Dec 17 19:28 /tmp/test
[glb@localhost ~]$ sudo -u qemu test -w /tmp/test || echo failed
[glb@localhost ~]$ 

Edit:

BTW, it is usually unnecessary to add the user to their own usergroup. The group that has the same name as the user should already be associated. It will (normally) be their “primary” group (the fourth field in the output of genent passwd <user> or the output of id -gn <user>).

@glb I see… I had run first:

sudo usermod -aG user1 qemu

I check:

getent group user1

Here I could not see “user1 (user)” on the group list :slight_smile: I panicked and I add “user1(user)” to “user1 (group)” intentionally:

So I run this command:

sudo usermod -aG user1 user1

And then I wrote you my last message on this forum.

Thank you :slight_smile:




But I still can’t solve my issue. I mean what is the simplest way (and best-practice) to give a specific user (in my case “qemu”) the permissions of this dir:

/run/media/user1/partition1/storages/storage1.vmdk

Note: This volume is EXT4 and mounted with default options of Fedora (latest stable) (no custom fstab).

What you are attempting to do sounds correct. “simple” is a bit subjective. How simple something will be depends somewhat on what you are familiar with. That said, security is one of the most non-trivial aspects of operating systems. And it tends to get more complex with time as more and more “layers” are added (e.g. SELinux).

One thing to be aware of is that the user will need to have traverse permission on all the directories above the file you are attempting to grant them access to. The xs in the first column of the output of ls -l have different meanings depending on whether what is being listed is a file or a directory. For files, the x grants execute permission, but for directories, the x grants traverse permission (meaning the user or group that has the permission might be able to access the existing content in the directory even if they don’t have permission to list the existing files/directories r or add new files/directories w).

Also, be aware that if the command is running in the background as a service, you might need to restart the service for the configuration change to take effect.

1 Like

Yes you right. The service may want restart. Thats why I’m checking the permissions first via command:

sudo -u qemu test -w ‘/run/media/user1/partition1/storages/storage1.vmdk’ && echo “true” || echo “false”




Exactly. Therefor I’m trying to do some workarounds. Because I don’t want to change the permissions of:

  • /run
  • /run/media
  • /run/media/user1
  • /run/media/user1/partition1

directories. Because they are managed by OS.

ADDITIONAL NOTE 1:

I put a symbolic link to:

/lib/libvirt/images/storage_1_symbolic_link

But the same problem exist. “qemu (user)” can not read that file.

ADDITIONAL NOTE 2:

I also try to put hard-link, but hard-link could not be created if the source is from different partition.




Thank you for your time by the way :pray: :hearts:

That might be the fundamental problem. The OS might not be designed to do exactly what you are trying to do. In times past, people would often just mount external storage temporarily to /mnt (things were simpler back then :slightly_smiling_face:).

You won’t be able to “cheat” the permissions with a symlink. The OS is more clever than that. :slightly_smiling_face:

I’m not on a Linux box right now, so I can’t check, but can you not achieve your requirements with ACL’s — getfacl and setfacl?

@anothermindbomb

I run this:

sudo setfacl -m u:qemu:rwx “/run/media/user1/partition1/storages/storage1.vmdk”

But nothing changed. Because I think (as @glb mentioned), the issue is about parent directories. And we cant touch the parent directories because we don’t want to mess up with OS managed directories.

Maybe the only way is to give all permissions of “user1 (user)” to “qemu (user)”. But I don’t know how to do.

The way to do that would probably be to run the qemu process as the user1 user. You should be able to use a command like ps -e -o user,group,command | grep qemu to verify what user and group the qemu* command(s) are running with.

You can reduce possible issues:

  • Change the mount point:
    • /var/lib/libvirt/images is the best option.
      • Otherwise you may need to create a new storage pool.
    • Somewhere under /mnt is the second best.
  • Remember to restart and rebuild the relevant storage pool.
  • Switch SELinux to permissive mode for testing.

Also verify permissions like this:

sudo -u qemu namei -o -m -Z /path/to/image
1 Like

I adready did that. I create a new pool via Virt-manager-GUI which is:

/run/media/user1/partition1/storages




My output is:

f: /run/media/user1/partition1/storages/storage1.vmdk
dr-xr-xr-x root root system_u:object_r:root_t:s0 /
drwxr-xr-x root root system_u:object_r:var_run_t:s0 run
drwxr-xr-x root root system_u:object_r:mnt_t:s0 media
drwxr-x— root root system_u:object_r:mnt_t:s0 user1
internal1 - Permission denied

As we predicted it, we have problem with root directories.




I always disable it before each test I run:

sudo setenforce 0




Do you think this is good idea ? My partition is an external drive. I have all my files inside of if. It will be really bad to access my files via:

/var/lib/libvirt/images/partition1/documents/daily_notes.txt

/var/lib/libvirt/images/partition1/music/mozart.mp3

Ideally, it should be an LVM-based pool or a dedicated partition/volume/subvolume mounted to /var/lib/libvirt/images, otherwise mount your disk under /mnt/data and create a new pool targeting the appropriate directory.

Today I tried this. But I still got the permission error. But interestingly, when I check this:

sudo -u qemu test -w /var/lib/libvirt && echo “true” || echo “false”

it return true but this:

sudo -u qemu test -r /var/lib/libvirt/images && echo “true” || echo “false”

return false.

Is this normal?

1- “qemu (user)” should have to read images directory.
2- I can run a VM which use /var/lib/libvirt/images/fedora.vmdk properly.

It should not, so it looks like you added redundant permissions.

Not really, it only needs to traverse the directory.

Check the output:

sudo ls -a -l -Z /var/lib/libvirt/images

Why it only needs traverse? “qemu (user)” will not read (R) and update (W) the storage file content when I run VM ?

( I will answer the other questions when I’m home. )