Hello Eric, On Wednesday 07 September 2011 16:02:51 Eric Blake wrote: > On 09/07/2011 11:12 AM, Philipp Hahn wrote: > > I just tried the following command with libvirt-0.9.5git: > > # virsh snapshot-create "$VM" /dev/stdin > > <<<'<domainsnapshot><name>../../../../../../etc/passwd</name></domainsnap > >shot>' > > > > "Luckily" it adds a .xml suffix, but this still looks like a security > > problem to me, because you can overwrite any .xml-file with libvirt > > gibberish. Actually this was found by a user trying to create a snapshot > > with an embedded /, which didn't work, because the sub-directory didn't > > exist. I know SELinux can solve this, but I really would prefer the Qemu > > driver to reject such names. > > Qemu won't reject names with /, but I agree with your thought that > libvirt needs to prevent such names, particularly since it creates > several other file names (such as log files, managed save, snapshots, > and even the monitor file) all based on the domain name. For Qemu the name is just a C-string, but libvirt make the error to use those bits as something else, namely a UNIX/Windows/whatever path name, which has additional constraints. So if libvirt wants to use the name as a path, it must add an additional constraint on the naming to make it safe, or at lease use some escaping when translating the name to a path name. > You are also missing: > /var/log/libvirt/qemu/$VM.log Yes, which is compilcated by logrotate replacing and renaming those files. > > Would it be possible and feasible to convert the Qemu driver to use the > > UUID instead for file and directory naming? > > Maybe, but I prefer seeing files by name rather than by UUID when > browsing through the libvirt internal directories. If we supported > renaming, and properly altered the name of all affected files, then I > see no reason to keep the files by name instead of uuid. Yes, names are definitly nicer than UUIDs, but they make renaming harder (I hope nobody want's to change the UUID) and have the meta-character problem. With UUID we are sure, that they always consists of safe characters and have a finit length. Sincerely Philipp -- Philipp Hahn Open Source Software Engineer hahn univention de Univention GmbH Linux for Your Business fon: +49 421 22 232- 0 Mary-Somerville-Str.1 D-28359 Bremen fax: +49 421 22 232-99 http://www.univention.de/ ---------------------------------------------------------------------------- Treffen Sie Univention auf der IT&Business vom 20. bis 22. September 2011 auf dem Gemeinschaftsstand der Open Source Business Alliance in Stuttgart in Halle 3 Stand 3D27-7.
Description: This is a digitally signed message part.