[libvirt] 答复: security: the qemu agent command "guest-exec" may cause Insider Access

On Fri, Aug 25, 2017 at 06:45:18 +0000, Zhangbo (Oscar) wrote: > Hi all: > The Host Administrator is capable of running any exec in guests via the qemu-ga command "guest-exec", eg: > > virsh qemu-agent-command test_guest '{"execute": "guest-exec", "arguments": {"path": "ifconfig", "arg": [ "eth1", "192.168.0.99" ],"capture-output": true } }' > {"return":{"pid":12425}} > virsh qemu-agent-command test_guest '{"execute": "guest-exec-status", "arguments": { "pid": 12425 } }' > {"return":{"exitcode":0,"exited":true}} > > The example above just change the guests' ip address, the Administrator may also change guests' user password, get sensitive information, etc. which causes Insider Access. > The Administrator also can use other commands such as " guest-file-open" that also cause Insider Access. > > So, how to avoid this security problem, what's your suggestion? You can use the "--blacklist" facility of qemu-ga to disable APIs you don't want to support. Or don't run the guest agent at all.