[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file



On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
> I found there's a way for a unprivileged user to overwrite sensitive
> system file with virsh, here's how:
> 1. (as an unprivileged user) start virsh and connect to the r/w
> socket of libvirtd:
>    virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock

Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.

> 2. start a guest, then issue 'save' or 'dump' command, giving a
> sensitive system file path as the <file> parameter, for example,
> '/etc/passwd';
> 3. the sensitive system file will be overwritten;

There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]