Fix for issue #235: Fix TLS backend VNC for non root qemu (#238)

* Fix TLS backend VNC for non root qemu * Add CA directory to the qemu group * Fix qemu group permissions * Final fix for users on the qemu group * Fix dynamic qemu group search * Retrieve group from qemu.conf file * Address review comments
2023-03-10 07:27:01 -03:00 · 2023-03-10 07:27:01 -03:00 · 7b8cbcde6c
parent 2316e800ba
commit 7b8cbcde6c
1 changed files with 9 additions and 3 deletions
--- a/scripts/util/keystore-cert-import
+++ b/scripts/util/keystore-cert-import
@ -95,6 +95,12 @@ if [ -f "$LIBVIRTD_FILE" ]; then
    ln -sf /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem
    ln -sf /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem
    cloudstack-setup-agent -s > /dev/null
+
+    QEMU_GROUP=$(sed -n 's/^group=//p' /etc/libvirt/qemu.conf | awk -F'"' '{print $2}' | tail -n1)
+    if [ ! -z "${QEMU_GROUP// }" ]; then
+      chgrp $QEMU_GROUP /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+      chmod 750 /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+    fi
 fi

 # Update ca-certs if we're in systemvm
@ -112,6 +118,6 @@ if [ -f "$SYSTEM_FILE" ]; then
 fi

 # Fix file permission
-chmod 600 $CACERT_FILE
-chmod 600 $CERT_FILE
-chmod 600 $PRIVKEY_FILE
+chmod 750 $CACERT_FILE
+chmod 750 $CERT_FILE
+chmod 750 $PRIVKEY_FILE