[ovirt-users] Re: oVirt 4.3.6 and Security Measures
Ales, Nir thank you for the fast response.
On Tue, Mar 9, 2021, 14:21 Ales Musil <amusil(a)redhat.com>
wrote:
Sanlock use 0775 for good reason. Sanlock is started as root, and it needs
permissions to create the pid file before dropping privileges. It may be
possible to solve this with better selinux policy but nobody contributed
this.
Can you explain what is the actual issue with this configuration?
I got an answer from a colleague for that question:
The user sanlock is still owner of the folder and should be able to create files in there,
especially when sanlock is started as root. We just want to lower the rights for the
group. Which is root. This might be a more or less abstract potentials risk, as a user
that is not ‘root’ being member of group root might be not that common. Still, this is a
standard procedure on the servers that a home-folder of a user usually has r-x for the
user’ s group and our security check marks this a potential risk.
BR
Aleksandr