[libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file

Alex Jia ajia at redhat.com
Wed Oct 12 06:29:50 UTC 2011 

On 10/12/2011 11:57 AM, Hong Xiang wrote:
> [hxiang at T420 ~]$ cat /etc/redhat-release
> Red Hat Enterprise Linux Workstation release 6.1 (Santiago)
> [hxiang at T420 ~]$ cat /etc/openclient-release
> Open Client RHEL 64 3.10 (Gold Master)
> [hxiang at T420 ~]$ libvirtd --version
> libvirtd (libvirt) 0.8.7
> [hxiang at T420 ~]$ virsh -V
> Virsh command line tool of libvirt 0.8.7
> See web site athttp://libvirt.org/
>
> Compiled with support for:
>   Hypervisors: QEmu/KVM LXC ESX Test
>   Networking: Remote Daemon Network Bridging Netcf Nwfilter VirtualPort
>   Storage: Dir Disk Filesystem SCSI Multipath iSCSI LVM
>   Miscellaneous: SELinux Secrets Debug DTrace Readline
> [hxiang at T420 ~]$ ls -l /etc/precious.*
> -rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.1
> -rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.2
> [hxiang at T420 ~]$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
> Welcome to virsh, the virtualization interactive terminal.
>
> Type:  'help' for help with commands
>         'quit' to quit
>
> virsh # start fc15
             ^_ _ _  it seems you're using privileged user to login 
virsh, I remembered that it should be
"virsh >"  not "virsh #" when use unprivileged user, I assume you hadn't 
any modification in libvirtd.conf, in addition, for unprivileged user, 
as usual, libvirt will raise the following information if you're trying 
to connect hypervisor:

Tested it on libvirt-0.8.2-22.el5:
$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock 
--readonly
error: unable to connect to '/var/run/libvirt/libvirt-sock', libvirtd 
may need to be started: Permission denied
error: failed to connect to the hypervisor

Tested it on libvirt-0.9.4-16.el6.x86_64:
$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock 
--readonly
error: authentication failed: authentication failed
error: failed to connect to the hypervisor

Regards,
Alex
> Domain fc15 started
>
> virsh # dump fc15 /etc/precious.1
> Domain fc15 dumped to /etc/precious.1
>
> virsh # save fc15 /etc/precious.2
> Domain fc15 saved to /etc/precious.2
>
> virsh #
> [hxiang at T420 ~]$ ls -l /etc/precious.*
> -rw-r--r--. 1 root root 253777159 Oct 12 11:42 /etc/precious.1
> -rw-r--r--. 1 root root 257745683 Oct 12 11:42 /etc/precious.2
> [hxiang at T420 ~]$

More information about the libvir-list mailing list