[PATCH] remote: use SocketMode=0600 when polkit is not compiled

Pavel Hrdina phrdina at redhat.com
Fri Aug 7 15:34:38 UTC 2020 

On Fri, Aug 07, 2020 at 01:45:52PM +0100, Daniel P. Berrangé wrote:
> The systemd .socket unit files we ship for libvirt daemons use
> SocketMode=0666 on the assumption that libvirt is built with
> polkit which provides access control.
> 
> Some people, however, may have explicitly turned off polkit at
> build time and not realize that leaves them insecure unless
> they also change the SocketMode.  This addresses that problem
> by making the SocketMode default to 0600 when polkit is
> disabled at compile time.
> 
> Note we cannot automatically fix the case where the user
> compiles polkit, but then overrides the libvirtd.conf defaults
> to disable polkit. This is what lead to CVE-2020-15708 in
> Ubuntu 20.10.  We can at least improve the inline comments
> in the config file to give a clearer warning though, which
> may have helped avoid the mistaken config.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  src/meson.build               |  5 +++++
>  src/remote/libvirtd.conf.in   | 38 ++++++++++++++++++++++++++---------
>  src/remote/libvirtd.socket.in |  2 +-
>  3 files changed, 35 insertions(+), 10 deletions(-)
> 
> diff --git a/src/meson.build b/src/meson.build
> index b1c9993bc0..fd23fc55a8 100644
> --- a/src/meson.build
> +++ b/src/meson.build
> @@ -776,6 +776,11 @@ if conf.has('WITH_LIBVIRTD')
>        unit_conf.set('service', unit['service'])
>        unit_conf.set('sockprefix', unit['sockprefix'])
>        unit_conf.set('deps', unit.get('deps', ''))
> +      if conf.has('WITH_POLKIT')
> +        unit_conf.set('mode', '0666')
> +      else
> +        unit_conf.set('mode', '0600')
> +      endif
>  
>        configure_file(
>          input: unit['service_in'],
> diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
> index 2607fbad86..1615f33502 100644
> --- a/src/remote/libvirtd.conf.in
> +++ b/src/remote/libvirtd.conf.in
> @@ -127,6 +127,8 @@
>  #
>  # Authentication.
>  #
> +# There are choices available:
> +#
>  #  - none: do not perform auth checks. If you can connect to the
>  #          socket you are allowed. This is suitable if there are
>  #          restrictions on connecting to the socket (eg, UNIX
> @@ -144,21 +146,39 @@
>  #            full read/write access (aka sudo like), while anyone
>  #            is allowed read/only access.
>  #
> +
>  # Set an authentication scheme for UNIX read-only sockets
> +#
>  # By default socket permissions allow anyone to connect
>  #
> -# To restrict monitoring of domains you may wish to enable
> -# an authentication mechanism here
> +# If libvirt was compiled without support for 'polkit', then
> +# no access control checks are done, but libvirt still only
> +# allows execution of APIs which don't change state.
> +#
> +# If libvirt was compiled with support for 'polkit', then
> +# the libvirt socket will perform a check with polkit after
> +# connections. The default policy still allows any local
> +# user access.
> +#
> +# To restrict monitoring of domains you may wish to either
> +# enable 'sasl' here, or change the polkit policy definition.
>  #auth_unix_ro = "none"
>  
> -# Set an authentication scheme for UNIX read-write sockets
> -# By default socket permissions only allow root. If PolicyKit
> -# support was compiled into libvirt, the default will be to
> -# use 'polkit' auth.
> +# Set an authentication scheme for UNIX read-write sockets.
> +#
> +# If libvirt was compiled without support for 'polkit', then
> +# the systemd .socket files will use SocketMode=0600 by default
> +# thus only allowing root user to connect, and 'auth_unix_rw'
> +# will default to 'none'.
> +#
> +# If libvirt was compiled with support for 'polkit', then
> +# the systemd .socket files will use SocketMode=0666 which
> +# allows any user to connect and 'auth_iunix_rw' will default

s/iunix/unix/

> +# to 'polkit'. If you disable use of 'polkit' here, then it
> +# is essential to change the systemd SocketMode parameter
> +# back to 0600, to avoid an insecure configuration.
>  #
> -# If the unix_sock_rw_perms are changed you may wish to enable
> -# an authentication mechanism here
> -#auth_unix_rw = "none"
> +#auth_unix_rw = "polkit"
>  @CUT_ENABLE_IP@
>  
>  # Change the authentication scheme for TCP sockets.
> diff --git a/src/remote/libvirtd.socket.in b/src/remote/libvirtd.socket.in
> index df36df2125..85b4aa800a 100644
> --- a/src/remote/libvirtd.socket.in
> +++ b/src/remote/libvirtd.socket.in
> @@ -8,7 +8,7 @@ Before=@service at .service
>  # when using systemd version < 227
>  ListenStream=@runstatedir@/libvirt/@sockprefix at -sock
>  Service=@service at .service
> -SocketMode=0666
> +SocketMode=@mode@
>  
>  [Install]
>  WantedBy=sockets.target

Sounds reasonable solution for the default configuration.

Reviewed-by: Pavel Hrdina <phrdina at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20200807/0ab7c9d3/attachment-0001.sig>

More information about the libvir-list mailing list