[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file



It turned out that in my environment the user 'hxiang' I was testing with is in group 'desktop_admin_r' and PolicyKit takes all users in that group as administrators. That's why I could connect without authentication.
Sorry for the false alarm.

On 10/12/2011 04:22 PM, Daniel P. Berrange wrote:
On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
I found there's a way for a unprivileged user to overwrite sensitive
system file with virsh, here's how:
1. (as an unprivileged user) start virsh and connect to the r/w
socket of libvirtd:
    virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock

Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.

2. start a guest, then issue 'save' or 'dump' command, giving a
sensitive system file path as the<file>  parameter, for example,
'/etc/passwd';
3. the sensitive system file will be overwritten;

There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.

Regards,
Daniel

--
Thanks.
Hong Xiang


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]