[libvirt] [BUG,RFC] directory traversal vulnerability / qemu: name→uuid

Eric Blake eblake at redhat.com
Wed Sep 7 14:02:51 UTC 2011 

On 09/07/2011 11:12 AM, Philipp Hahn wrote:
> Hello,
>
> I just tried the following command  with libvirt-0.9.5git:
> # virsh snapshot-create "$VM" /dev/stdin
> <<<'<domainsnapshot><name>../../../../../../etc/passwd</name></domainsnapshot>'
>
> "Luckily" it adds a .xml suffix, but this still looks like a security problem
> to me, because you can overwrite any .xml-file with libvirt gibberish.
> Actually this was found by a user trying to create a snapshot with an
> embedded /, which didn't work, because the sub-directory didn't exist. I know
> SELinux can solve this, but I really would prefer the Qemu driver to reject
> such names.

Qemu won't reject names with /, but I agree with your thought that 
libvirt needs to prevent such names, particularly since it creates 
several other file names (such as log files, managed save, snapshots, 
and even the monitor file) all based on the domain name.

>
> Another problem is, that I sometimes would like to rename a VM to a new name,
> because the old name doesn't describe the VM good enough.<description>  is
> not an option, because 1) Xen doesn't store it, and 2) virsh list doesn't
> show it.

Adding a virDomainRename command would indeed be a nice API addition, 
but it certainly involves quite a bit of work.

> Renaming a Qemu-VM is currently impossible, since the name of the VM is used
> for several files and directories and a undefine+define would loose state:
>   /etc/libvirt/qemu/$VM.xml
>   /var/lib/libvirt/qemu/$VM.monitor
>   /var/lib/libvirt/qemu/save/$VM.save
>   /var/lib/libvirt/qemu/snapshot/$VM/$SNAPSHOT.xml

All of these files would have to be edited as part of a virDomainRename. 
  You are also missing:

/var/log/libvirt/qemu/$VM.log

> Would it be possible and feasible to convert the Qemu driver to use the UUID
> instead for file and directory naming?

Maybe, but I prefer seeing files by name rather than by UUID when 
browsing through the libvirt internal directories.  If we supported 
renaming, and properly altered the name of all affected files, then I 
see no reason to keep the files by name instead of uuid.

-- 
Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

More information about the libvir-list mailing list