From 7b8cbcde6cf62ff10ffa57d7f62f6185001be755 Mon Sep 17 00:00:00 2001 From: Nicolas Vazquez Date: Fri, 10 Mar 2023 07:27:01 -0300 Subject: [PATCH] Fix for issue #235: Fix TLS backend VNC for non root qemu (#238) * Fix TLS backend VNC for non root qemu * Add CA directory to the qemu group * Fix qemu group permissions * Final fix for users on the qemu group * Fix dynamic qemu group search * Retrieve group from qemu.conf file * Address review comments --- scripts/util/keystore-cert-import | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/scripts/util/keystore-cert-import b/scripts/util/keystore-cert-import index 5a897bbcd36..3d2e782991b 100755 --- a/scripts/util/keystore-cert-import +++ b/scripts/util/keystore-cert-import @@ -95,6 +95,12 @@ if [ -f "$LIBVIRTD_FILE" ]; then ln -sf /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem ln -sf /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem cloudstack-setup-agent -s > /dev/null + + QEMU_GROUP=$(sed -n 's/^group=//p' /etc/libvirt/qemu.conf | awk -F'"' '{print $2}' | tail -n1) + if [ ! -z "${QEMU_GROUP// }" ]; then + chgrp $QEMU_GROUP /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem + chmod 750 /etc/pki/libvirt /etc/pki/libvirt-vnc /etc/pki/CA /etc/pki/libvirt/private /etc/pki/libvirt/servercert.pem /etc/pki/libvirt/private/serverkey.pem /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem + fi fi # Update ca-certs if we're in systemvm @@ -112,6 +118,6 @@ if [ -f "$SYSTEM_FILE" ]; then fi # Fix file permission -chmod 600 $CACERT_FILE -chmod 600 $CERT_FILE -chmod 600 $PRIVKEY_FILE +chmod 750 $CACERT_FILE +chmod 750 $CERT_FILE +chmod 750 $PRIVKEY_FILE