[libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file
Daniel P. Berrange
berrange at redhat.com
Wed Oct 12 08:22:48 UTC 2011
On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
> I found there's a way for a unprivileged user to overwrite sensitive
> system file with virsh, here's how:
> 1. (as an unprivileged user) start virsh and connect to the r/w
> socket of libvirtd:
> virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.
> 2. start a guest, then issue 'save' or 'dump' command, giving a
> sensitive system file path as the <file> parameter, for example,
> '/etc/passwd';
> 3. the sensitive system file will be overwritten;
There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list