Re: [libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file
It turned out that in my environment the user 'hxiang' I was testing
with is in group 'desktop_admin_r' and PolicyKit takes all users in that
group as administrators. That's why I could connect without authentication.
Sorry for the false alarm.
On 10/12/2011 04:22 PM, Daniel P. Berrange wrote:
On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
> I found there's a way for a unprivileged user to overwrite sensitive
> system file with virsh, here's how:
> 1. (as an unprivileged user) start virsh and connect to the r/w
> socket of libvirtd:
> virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.
> 2. start a guest, then issue 'save' or 'dump' command, giving a
> sensitive system file path as the<file> parameter, for example,
> '/etc/passwd';
> 3. the sensitive system file will be overwritten;
There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.
Regards,
Daniel
--
Thanks.
Hong Xiang