8:28 a.m.
If no uri is passed to one of the virConnectOpen-ish calls, libvirt
attempts to autoprobe a sensible URI. Part of the current logic checks
for getuid() > 0, and if that check is succesful, a libvirtd daemon is
spawned. This patch replaces this check with a call to
access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the
qemu:///system UNIX socket connect to that one by default instead of
spawning a new libvirtd daemon.
Signed-off-by: Soren Hansen <soren(a)linux2go.dk>
---
src/remote/remote_driver.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index a945710..17e6ead 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn,
if (!conn->uri) {
DEBUG0("Auto-probe remote URI");
#ifndef __sun
- if (getuid() > 0) {
+ if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) {
DEBUG0("Auto-spawn user daemon instance");
rflags |= VIR_DRV_OPEN_REMOTE_USER;
if (!autostart ||
--
1.7.1
8:59 a.m.
On Fri, Sep 03, 2010 at 03:28:58PM +0200, Soren Hansen wrote:
If no uri is passed to one of the virConnectOpen-ish calls, libvirt
attempts to autoprobe a sensible URI. Part of the current logic checks
for getuid() > 0, and if that check is succesful, a libvirtd daemon is
spawned. This patch replaces this check with a call to
access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the
qemu:///system UNIX socket connect to that one by default instead of
spawning a new libvirtd daemon.
Signed-off-by: Soren Hansen <soren(a)linux2go.dk>
---
src/remote/remote_driver.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index a945710..17e6ead 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn,
if (!conn->uri) {
DEBUG0("Auto-probe remote URI");
#ifndef __sun
- if (getuid() > 0) {
+ if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) {
DEBUG0("Auto-spawn user daemon instance");
rflags |= VIR_DRV_OPEN_REMOTE_USER;
if (!autostart ||
Hum, that sounds like a change of semantic.
Before as non root you would span a local daemon, now you use the system
one. I'm not saying it's a bad thing in most cases but it's a serious
change, and we try to avoid those in general.
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
4:04 p.m.
On 03-09-2010 15:59, Daniel Veillard wrote:
> diff --git a/src/remote/remote_driver.c
b/src/remote/remote_driver.c
> index a945710..17e6ead 100644
> --- a/src/remote/remote_driver.c
> +++ b/src/remote/remote_driver.c
> @@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn,
> if (!conn->uri) {
> DEBUG0("Auto-probe remote URI");
> #ifndef __sun
> - if (getuid() > 0) {
> + if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) {
> DEBUG0("Auto-spawn user daemon instance");
> rflags |= VIR_DRV_OPEN_REMOTE_USER;
> if (!autostart ||
Hum, that sounds like a change of semantic.
Depends. I think of the (getuid() > 0) as a check for whether you can
access the privileged UNIX socket that simply doesn't take into account
that users other than root may have been given this privilege by way of
membership of the group owning the socket.
Before as non root you would span a local daemon, now you use the
system
one. I'm not saying it's a bad thing in most cases but it's a serious
change, and we try to avoid those in general.
As I suggested in another e-mail a short while ago in this thread, I'm
making this change to maintain the status quo in Ubuntu. We already do
this in virsh and virt-viewer and something very, very similar in
virt-manager. Someone recently dropped the virt-viewer patch by mistake,
and I decided to make the change directly in libvirt to not change how
libvirt has behaved for us in the past couple of years, so I can
certainly relate to your desire to not change the behaviour.
Personally, at least, I find this behaviour much more pleasant. On all
my servers, I just grant whoever needs to be able to deal with the VM's
on it access to the socket (by adding them to the libvirtd group), and
that's it. I don't need to instruct them to set per-application
environment variables or whatever.
Generally, I use libvirt on two classes of machine: Workstations/laptops
(where I'm functionally the only user), or on servers whose job is to
run virtual machines and nothing else.
In the former case, obviously I want to use the systemwide libvirtd to
get access to all the fancy networking things. I have absolutely no
motivation to use qemu:///session on there anymore.
In the latter case, only people who are supposed to manage the virtual
machines will have access to the server, and IMO they have no business
running stuff under qemu:///session on that box.
The only situation where I actually need qemu:///session is if I for
some reason want to run a VM on a machine that isn't mine (neither in
terms of ownership, nor responsibility). So far, that's never happened.
It's cool that it's possible(!), but I've never needed it.
--
Soren Hansen
Ubuntu Developer
http://www.ubuntu.com/
4:17 a.m.
On Fri, Sep 03, 2010 at 11:04:21PM +0200, Soren Hansen wrote:
On 03-09-2010 15:59, Daniel Veillard wrote:
>> diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
>> index a945710..17e6ead 100644
>> --- a/src/remote/remote_driver.c
>> +++ b/src/remote/remote_driver.c
>> @@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn,
>> if (!conn->uri) {
>> DEBUG0("Auto-probe remote URI");
>> #ifndef __sun
>> - if (getuid() > 0) {
>> + if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) {
>> DEBUG0("Auto-spawn user daemon instance");
>> rflags |= VIR_DRV_OPEN_REMOTE_USER;
>> if (!autostart ||
>
> Hum, that sounds like a change of semantic.
Depends. I think of the (getuid() > 0) as a check for whether you can
access the privileged UNIX socket that simply doesn't take into account
that users other than root may have been given this privilege by way of
membership of the group owning the socket.
> Before as non root you would span a local daemon, now you use the system
> one. I'm not saying it's a bad thing in most cases but it's a serious
> change, and we try to avoid those in general.
As I suggested in another e-mail a short while ago in this thread, I'm
making this change to maintain the status quo in Ubuntu. We already do
this in virsh and virt-viewer and something very, very similar in
virt-manager. Someone recently dropped the virt-viewer patch by mistake,
and I decided to make the change directly in libvirt to not change how
libvirt has behaved for us in the past couple of years, so I can
certainly relate to your desire to not change the behaviour.
Personally, at least, I find this behaviour much more pleasant. On all
my servers, I just grant whoever needs to be able to deal with the VM's
on it access to the socket (by adding them to the libvirtd group), and
that's it. I don't need to instruct them to set per-application
environment variables or whatever.
Generally, I use libvirt on two classes of machine: Workstations/laptops
(where I'm functionally the only user), or on servers whose job is to
run virtual machines and nothing else.
In the former case, obviously I want to use the systemwide libvirtd to
get access to all the fancy networking things. I have absolutely no
motivation to use qemu:///session on there anymore.
Our goal is to improve qemu://session's networking such that this isn't
a reason to use qemu://system anymore. Enabing use of qemu://session
is key to solving a number of important security problems, not least
that a user should be able to just keep the disk & iso images in their
home directory and not have to worry about their ownership/permissions.
In addition by running VMs directly under the user's session things
like pulseaudio, SDL can directly access the X & GNOME sessions without
further special config.
In the latter case, only people who are supposed to manage the
virtual
machines will have access to the server, and IMO they have no business
running stuff under qemu:///session on that box.
This is ignoring two important use cases which are common in the
corporate world. Shared development servers where many users are
on one server, and personal workstations where the users are not
allowed to have root.
The thing about heuristics is that they're never correct for everyone.
Your patch is making it more correct for one group of people, and less
correct for a different group of people. Further making a significant
functional change to libvirt that will break things for people that are
relying on the existing behaviour.
If someone wants to save typing they need merely set LIBVIRT_CONNECT_URI
to whatever they want and thus avoid the default connection logic completely.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5:16 a.m.
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this
isn't a reason to use qemu://system anymore
Fair enough, but when that happens, I'm supposing people won't have
access to the system-wide UNIX socket anymore.
Enabing use of qemu://session is key to solving a number of
important security problems, not least that a user should be able to
just keep the disk & iso images in their home directory and not have
to worry about their ownership/permissions.
True.
In addition by running VMs directly under the user's session
things
like pulseaudio, SDL can directly access the X & GNOME sessions
without further special config.
I was under the impression that currently targeted solution to at least
the audio problem was tunelling through VNC?
This is ignoring two important use cases which are common in the
corporate world. Shared development servers where many users are on
one server, and personal workstations where the users are not
allowed to have root.
I disagree. In both of those cases, I'd be surprised if people were able
to access the privileged libvirtd socket. In the former case, if people
generally had access to the systemwide libvirtd instance, I'd assume
that was because that was the one they were supposed to use for their
shared development stuff. In the latter case, with that sort of access,
I could have full root shell access within minutes, so that'd be a
pretty big security fail.
The thing about heuristics is that they're never correct for
everyone. Your patch is making it more correct for one group of
people, and less correct for a different group of people. Further
making a significant functional change to libvirt that will break
things for people that are relying on the existing behaviour.
I understand the difficulty of heuristics. That's exactly why I think
this discussion is useful: It seeks to determine the accuracy of the
current heuristic, which I claim is inaccurate in all but extraordinary
cases.
If someone wants to save typing they need merely set
LIBVIRT_CONNECT_URI to whatever they want and thus avoid the default
connection logic completely.
As you point out to Eric elsewhere in this thread, this is about
adjusting the behaviour of the heuristic, not about just providing a
default URI. I admit, though, that I did not know of the environment
variable to do this, which is called LIBVIRT_DEFAULT_URI, by the way :)
--
Soren Hansen
Ubuntu Developer
http://www.ubuntu.com/
5:24 a.m.
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
On 06-09-2010 11:17, Daniel P. Berrange wrote:
> Our goal is to improve qemu://session's networking such that this
> isn't a reason to use qemu://system anymore
Fair enough, but when that happens, I'm supposing people won't have
access to the system-wide UNIX socket anymore.
No, we won't change access to the system instance, the policy
for that is already configurable per-host by admins if they
so desire. It is more a case of making virt-manager use the
qemu:///session uri by default, rather than a change in libvirtd.
> In addition by running VMs directly under the user's session
things
> like pulseaudio, SDL can directly access the X & GNOME sessions
> without further special config.
I was under the impression that currently targeted solution to at least
the audio problem was tunelling through VNC?
Yep, that is another piece of work - they're not mutually exclusive,
since the audio-over-VNC functionality is useful for remote access
across the network, as well as local system access.
> This is ignoring two important use cases which are common in the
> corporate world. Shared development servers where many users are on
> one server, and personal workstations where the users are not
> allowed to have root.
I disagree. In both of those cases, I'd be surprised if people were able
to access the privileged libvirtd socket. In the former case, if people
generally had access to the systemwide libvirtd instance, I'd assume
that was because that was the one they were supposed to use for their
shared development stuff. In the latter case, with that sort of access,
I could have full root shell access within minutes, so that'd be a
pretty big security fail.
You are equating access to the UNIX socket, with authorization to
the unix socket. With PolicyKit auth enabled by default, the UNIX
socket is mode 0777 at all times, but this does not imply that
all users are able to use it. They can connect, but if PolicyKit
denies them, their connection will be dropped by the server.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
6:07 a.m.
On 06-09-2010 12:24, Daniel P. Berrange wrote:
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
> On 06-09-2010 11:17, Daniel P. Berrange wrote:
>> Our goal is to improve qemu://session's networking such that
>> this isn't a reason to use qemu://system anymore
> Fair enough, but when that happens, I'm supposing people won't have
> access to the system-wide UNIX socket anymore.
No, we won't change access to the system instance, the policy for
that is already configurable per-host by admins if they so desire.
Yes, that's what I meant. If qemu:///session turns useful enough, admins
won't give users access to the privileged UNIX socket.
> I disagree. In both of those cases, I'd be surprised if
people
> were able to access the privileged libvirtd socket. In the former
> case, if people generally had access to the systemwide libvirtd
> instance, I'd assume that was because that was the one they were
> supposed to use for their shared development stuff. In the latter
> case, with that sort of access, I could have full root shell access
> within minutes, so that'd be a pretty big security fail.
You are equating access to the UNIX socket, with authorization to
the unix socket.
Indeed I am.
With PolicyKit auth enabled by default, the UNIX socket is mode 0777
at all times, but this does not imply that all users are able to use
it. They can connect, but if PolicyKit denies them, their connection
will be dropped by the server.
Fascinating. I had no idea. That's a very convincing argument :)
What if I could come up with a check for whether the user would be
authorized to access the socket? Like including a auth_unix_rw == "none"
condition in the check? Would that change your view at all?
--
Soren Hansen
Ubuntu Developer
http://www.ubuntu.com/
6:22 a.m.
On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
On 06-09-2010 12:24, Daniel P. Berrange wrote:
> On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
>> On 06-09-2010 11:17, Daniel P. Berrange wrote:
>>> Our goal is to improve qemu://session's networking such that
>>> this isn't a reason to use qemu://system anymore
>> Fair enough, but when that happens, I'm supposing people won't have
>> access to the system-wide UNIX socket anymore.
> No, we won't change access to the system instance, the policy for
> that is already configurable per-host by admins if they so desire.
Yes, that's what I meant. If qemu:///session turns useful enough, admins
won't give users access to the privileged UNIX socket.
Or they'll leave the permissions 0777 and simply change the policykit
rule to deny access, or they'll not change anything, and simply not
tell the user the root password, which is what's required to be entered
with policykit to access qemu:///system.
>> I disagree. In both of those cases, I'd be surprised if
people
>> were able to access the privileged libvirtd socket. In the former
>> case, if people generally had access to the systemwide libvirtd
>> instance, I'd assume that was because that was the one they were
>> supposed to use for their shared development stuff. In the latter
>> case, with that sort of access, I could have full root shell access
>> within minutes, so that'd be a pretty big security fail.
> You are equating access to the UNIX socket, with authorization to
> the unix socket.
Indeed I am.
Therein lies the flaw in this approach.
> With PolicyKit auth enabled by default, the UNIX socket is mode
0777
> at all times, but this does not imply that all users are able to use
> it. They can connect, but if PolicyKit denies them, their connection
> will be dropped by the server.
Fascinating. I had no idea. That's a very convincing argument :)
What if I could come up with a check for whether the user would be
authorized to access the socket? Like including a auth_unix_rw == "none"
condition in the check? Would that change your view at all?
PolicyKit is just one example I happened to pick, the same logic applies
to any of the other authentication/authorization methods that libvirtd
applies. Any check based on socket permissions is fundamentally flawed,
even with auth_unix_rw="none" (which you can't check because a non-root
user can't read /etc/libvirt/libvirtd.conf), when we add role based
access control, you may be able to connect to the 'rw' socket, but have
no more privileges than on the 'ro' socket.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
7:03 a.m.
On 06-09-2010 13:22, Daniel P. Berrange wrote:
On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
> On 06-09-2010 12:24, Daniel P. Berrange wrote:
>> On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
>>> On 06-09-2010 11:17, Daniel P. Berrange wrote:
>>>> Our goal is to improve qemu://session's networking such that
>>>> this isn't a reason to use qemu://system anymore
>>> Fair enough, but when that happens, I'm supposing people won't
>>> have access to the system-wide UNIX socket anymore.
>> No, we won't change access to the system instance, the policy
>> for that is already configurable per-host by admins if they so
>> desire.
> Yes, that's what I meant. If qemu:///session turns useful enough,
> admins won't give users access to the privileged UNIX socket.
Or they'll leave the permissions 0777 and simply change the policykit
rule to deny access, or they'll not change anything, and simply not
tell the user the root password, which is what's required to be
entered with policykit to access qemu:///system.
I understand. I wrote the above under the (false) assumption that having
write access to the UNIX socket implied having privileges to the
system's libvirtd.
>>> I disagree. In both of those cases, I'd be surprised
if people
>>> were able to access the privileged libvirtd socket. In the
>>> former case, if people generally had access to the systemwide
>>> libvirtd instance, I'd assume that was because that was the
>>> one they were supposed to use for their shared development
>>> stuff. In the latter case, with that sort of access, I could
>>> have full root shell access within minutes, so that'd be a
>>> pretty big security fail.
>> You are equating access to the UNIX socket, with authorization to
>> the unix socket.
> Indeed I am.
Therein lies the flaw in this approach.
Yes, I learned that a few lines further down. :)
>> With PolicyKit auth enabled by default, the UNIX socket is
mode
>> 0777 at all times, but this does not imply that all users are
>> able to use it. They can connect, but if PolicyKit denies them,
>> their connection will be dropped by the server.
> Fascinating. I had no idea. That's a very convincing argument :)
> What if I could come up with a check for whether the user would be
> authorized to access the socket? Like including a auth_unix_rw ==
> "none" condition in the check? Would that change your view at
> all?
PolicyKit is just one example I happened to pick,
auth_unix_rw == "none" was also just an example.
the same logic applies to any of the other
authentication/authorization methods that libvirtd applies.
Of course.
Any check based on socket permissions is fundamentally flawed,
I feel the same way about one that is based on uid, to be honest.
even with auth_unix_rw="none" (which you can't check
because a
non-root user can't read /etc/libvirt/libvirtd.conf),
On Ubuntu, /etc/libvirt/libvirtd.conf is mode 0644? Should I be worried
about that? A quick glance in there doesn't reveal anything that I'm
uncomfortable disclosing.
when we add role based access control, you may be able to connect to
the 'rw' socket, but have no more privileges than on the 'ro'
socket.
In that particular case, I could also check for whether RBAC was
enabled, but that's really beside the point right now. My question was a
general one: Assuming I can determine that a given user is authorized to
manage the systemwide libvirtd, would you agree that that is the one
they're most likely to want to access? I simply cannot think up a
realistic example use case where someone has this privilege, but
actually wants to access qemu:///session.
--
Soren Hansen
Ubuntu Developer
http://www.ubuntu.com/
7:18 a.m.
On Mon, Sep 06, 2010 at 02:03:08PM +0200, Soren Hansen wrote:
On 06-09-2010 13:22, Daniel P. Berrange wrote:
> On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
>> On 06-09-2010 12:24, Daniel P. Berrange wrote:
>>> On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
>>>> On 06-09-2010 11:17, Daniel P. Berrange wrote:
>>>>> Our goal is to improve qemu://session's networking such that
>>>>> this isn't a reason to use qemu://system anymore
>>>> Fair enough, but when that happens, I'm supposing people won't
>>>> have access to the system-wide UNIX socket anymore.
>>> No, we won't change access to the system instance, the policy
>>> for that is already configurable per-host by admins if they so
>>> desire.
>> Yes, that's what I meant. If qemu:///session turns useful enough,
>> admins won't give users access to the privileged UNIX socket.
> Or they'll leave the permissions 0777 and simply change the policykit
> rule to deny access, or they'll not change anything, and simply not
> tell the user the root password, which is what's required to be
> entered with policykit to access qemu:///system.
I understand. I wrote the above under the (false) assumption that having
write access to the UNIX socket implied having privileges to the
system's libvirtd.
>>>> I disagree. In both of those cases, I'd be surprised if people
>>>> were able to access the privileged libvirtd socket. In the
>>>> former case, if people generally had access to the systemwide
>>>> libvirtd instance, I'd assume that was because that was the
>>>> one they were supposed to use for their shared development
>>>> stuff. In the latter case, with that sort of access, I could
>>>> have full root shell access within minutes, so that'd be a
>>>> pretty big security fail.
>>> You are equating access to the UNIX socket, with authorization to
>>> the unix socket.
>> Indeed I am.
> Therein lies the flaw in this approach.
Yes, I learned that a few lines further down. :)
>>> With PolicyKit auth enabled by default, the UNIX socket is mode
>>> 0777 at all times, but this does not imply that all users are
>>> able to use it. They can connect, but if PolicyKit denies them,
>>> their connection will be dropped by the server.
>> Fascinating. I had no idea. That's a very convincing argument :)
>> What if I could come up with a check for whether the user would be
>> authorized to access the socket? Like including a auth_unix_rw ==
>> "none" condition in the check? Would that change your view at
>> all?
> PolicyKit is just one example I happened to pick,
auth_unix_rw == "none" was also just an example.
> the same logic applies to any of the other
> authentication/authorization methods that libvirtd applies.
Of course.
> Any check based on socket permissions is fundamentally flawed,
I feel the same way about one that is based on uid, to be honest.
> even with auth_unix_rw="none" (which you can't check because a
> non-root user can't read /etc/libvirt/libvirtd.conf),
On Ubuntu, /etc/libvirt/libvirtd.conf is mode 0644? Should I be worried
about that? A quick glance in there doesn't reveal anything that I'm
uncomfortable disclosing.
The /etc/libvirt directory itself should be 0700 though, since various
files under that location include passwords (qemu.conf, secrets/*,
qemu/*xml, lxc/*xml, uml/*xml). We don't currently have any passwords
in libvirtd.conf itself, but its certainly possible this might change
in the future. While it is possible to rely on getting each individual
file there to have correct permissions, IMHO it is safer to make the
/etc/libvirt directory 0700
> when we add role based access control, you may be able to
connect to
> the 'rw' socket, but have no more privileges than on the 'ro'
> socket.
In that particular case, I could also check for whether RBAC was
enabled, but that's really beside the point right now. My question was a
general one: Assuming I can determine that a given user is authorized to
manage the systemwide libvirtd, would you agree that that is the one
they're most likely to want to access? I simply cannot think up a
realistic example use case where someone has this privilege, but
actually wants to access qemu:///session.
No, I don't agree. I already mentioned the reasons why it is desirable
to run within the user session - SDL, audio, disk permissions, and to
add another one gnome-keyring integration for qcow2 passwords which is
a future feature we'd like for the secrets driver. IMHO if we are to get
better integration into the user's desktop experiance, then having both
libvirtd & the VMs running in the user's context, rather than a separate
context is key.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
7:53 a.m.
On 06-09-2010 14:18, Daniel P. Berrange wrote:
> On Ubuntu, /etc/libvirt/libvirtd.conf is mode 0644? Should I be
> worried about that? A quick glance in there doesn't reveal anything
> that I'm uncomfortable disclosing.
The /etc/libvirt directory itself should be 0700 though,
Nope, it's 0755. :( I'll look into getting that fixed.
since various files under that location include passwords
(qemu.conf,
secrets/*, qemu/*xml, lxc/*xml, uml/*xml). We don't currently have
any passwords in libvirtd.conf itself, but its certainly possible
this might change in the future. While it is possible to rely on
getting each individual file there to have correct permissions, IMHO
it is safer to make the /etc/libvirt directory 0700
Makes sense. Thanks for pointing this out. I've never used passwords in
any of these files myself, so I never really gave it much thought :(
> Assuming I can determine that a given user is authorized to
manage
> the systemwide libvirtd, would you agree that that is the one
> they're most likely to want to access? I simply cannot think up a
> realistic example use case where someone has this privilege, but
> actually wants to access qemu:///session.
No, I don't agree. I already mentioned the reasons why it is
desirable to run within the user session - SDL, audio, disk
permissions, and to add another one gnome-keyring integration for
qcow2 passwords which is a future feature we'd like for the secrets
driver. IMHO if we are to get better integration into the user's
desktop experiance, then having both libvirtd & the VMs running in
the user's context, rather than a separate context is key.
Yes, of course, when qemu:///session gets this smart and cool you will
want to access qemu:///session by default. At /exactly/ the same time,
the motivation for setting yourself up with access to qemu:///system
disappears. When that motivation is gone, any admin worth his salt will
immediately revoke said access (in the shared scenario) (since it's a
gaping security hole) and voilĂ , libvirt will go back to using
qemu:///session by default.
--
Soren Hansen
Ubuntu Developer
http://www.ubuntu.com/
6:28 a.m.
On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
On 06-09-2010 12:24, Daniel P. Berrange wrote:
> On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
>> On 06-09-2010 11:17, Daniel P. Berrange wrote:
>>> Our goal is to improve qemu://session's networking such that
>>> this isn't a reason to use qemu://system anymore
>> Fair enough, but when that happens, I'm supposing people won't have
>> access to the system-wide UNIX socket anymore.
> No, we won't change access to the system instance, the policy for
> that is already configurable per-host by admins if they so desire.
Yes, that's what I meant. If qemu:///session turns useful enough, admins
won't give users access to the privileged UNIX socket.
>> I disagree. In both of those cases, I'd be surprised if people
>> were able to access the privileged libvirtd socket. In the former
>> case, if people generally had access to the systemwide libvirtd
>> instance, I'd assume that was because that was the one they were
>> supposed to use for their shared development stuff. In the latter
>> case, with that sort of access, I could have full root shell access
>> within minutes, so that'd be a pretty big security fail.
> You are equating access to the UNIX socket, with authorization to
> the unix socket.
Indeed I am.
> With PolicyKit auth enabled by default, the UNIX socket is mode 0777
> at all times, but this does not imply that all users are able to use
> it. They can connect, but if PolicyKit denies them, their connection
> will be dropped by the server.
Fascinating. I had no idea. That's a very convincing argument :)
What if I could come up with a check for whether the user would be
authorized to access the socket? Like including a auth_unix_rw == "none"
condition in the check? Would that change your view at all?
Speaking personally and as a user here, I think qemu://session is a good thing, I
think the process of giving users elevated permissions to use qemu+KVM has been a bad
thing for a while now and any attempts at correcting this behaviour is a positive step.
If someone is in an environment where they need to manage the system qemu instance (i.e.
production environments) then I would imagine that they would be aware that they need to
connect 'somewhere else'. If the environment variable suggested before already
exists (sorry couldn't tell) then that is enough to allow those companies to change
the default behaviour.
My 2 cents.
6:45 a.m.
On Mon, Sep 06, 2010 at 10:17:17AM +0100, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this
isn't
a reason to use qemu://system anymore.
BTW, some ideas we have for attacking this problem are
- Add support to network manager to create TAP devices on behalf
of the logged in user. Thus libvirt would talk to NM over dbus
and ask it to create a TAP device, which we then pass to QEMU
in the normal manner. Thus neither libvirtd or QEMU need higher
privileges. This also requires NM to understand bridging setup.
- Integrate with VDE as the solution for the 'virtual network'
functionality in libvirt. This improves on 'user' networking
mode by allowing VMs to talk to each other, out of the box
they still have slirp based access to the outside world. It
is possible to make VDE use a TAP device for connectivity
to the outside world, so either the admin can set one up,
or again we can ask network manager todo it, which in this
case doesn't require full bridging support - just NAT which
NM can already do via its 'connection sharing' feature.
- A setuid helper program that libvirtd can use for setting up
TAP devices. This is just a crappier version of getting network
manager todo it for us.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
9:08 a.m.
On Fri, Sep 03, 2010 at 03:28:58PM +0200, Soren Hansen wrote:
If no uri is passed to one of the virConnectOpen-ish calls, libvirt
attempts to autoprobe a sensible URI. Part of the current logic checks
for getuid() > 0, and if that check is succesful, a libvirtd daemon is
spawned. This patch replaces this check with a call to
access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the
qemu:///system UNIX socket connect to that one by default instead of
spawning a new libvirtd daemon.
NACK, I don't think we should be changing this. If the user
is unprivileged, it should always default to the unprivileged
libvirtd, regardless of whether they are also authorized to
connect to the privileged libvirtd (via socket permissions or
policykit, or kerberos). If the unprivileged user still wants
the privileged libvirtd, they should given an explicit URI.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
3:38 p.m.
On 03-09-2010 16:08, Daniel P. Berrange wrote:
> If no uri is passed to one of the virConnectOpen-ish calls,
libvirt
> attempts to autoprobe a sensible URI. Part of the current logic checks
> for getuid() > 0, and if that check is succesful, a libvirtd daemon is
> spawned. This patch replaces this check with a call to
> access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the
> qemu:///system UNIX socket connect to that one by default instead of
> spawning a new libvirtd daemon.
NACK, I don't think we should be changing this. If the user
is unprivileged, it should always default to the unprivileged
libvirtd, regardless of whether they are also authorized to
connect to the privileged libvirtd (via socket permissions or
policykit, or kerberos). If the unprivileged user still wants
the privileged libvirtd, they should given an explicit URI.
Hm... I didn't think this was going to be controversial :)
I firmly believe that if a user has access to the privileged libvirt
daemon, that's the one he'll want to interact with in all but
extraordinary cases. I consider it very analogous to how virt-manager
doesn't even offer usermode networking if you're connected to
qemu:///system, since if you aren't stuck with usermode networking,
there's no reason to use it (other than to prove this statement wrong).
Ubuntu has carried patches for this for virsh, virt-manager, and
virt-viewer for a while now (at least a year and a half). I'm not sure
if they've been submitted here (or to et-mgmt-tools) before (and if not,
why not), but that's the lay of the land, and I've had nothing but good
feedback on it. Now I just wanted to fix it properly (directly in
libvirt) and get it upstream. It's certainly saved me a lot of typing.
--
Soren Hansen
Ubuntu Developer
http://www.ubuntu.com/
3:50 p.m.
On 09/03/2010 02:38 PM, Soren Hansen wrote:
> NACK, I don't think we should be changing this. If the user
> is unprivileged, it should always default to the unprivileged
> libvirtd, regardless of whether they are also authorized to
> connect to the privileged libvirtd (via socket permissions or
> policykit, or kerberos). If the unprivileged user still wants
> the privileged libvirtd, they should given an explicit URI.
Hm... I didn't think this was going to be controversial :)
Maybe a less-controversial patch would be changing configure.ac to add a
configure option for the default URI string for non-privileged users?
Right now, the default is hard-coded to qemu:///session, but by letting
it be a configure choice, then it would be up to the end user (or
distro) whether to risk the default of qemu:///system as well as
exposing the socket as writable.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
4:07 a.m.
On Fri, Sep 03, 2010 at 02:50:00PM -0600, Eric Blake wrote:
On 09/03/2010 02:38 PM, Soren Hansen wrote:
>>NACK, I don't think we should be changing this. If the user
>>is unprivileged, it should always default to the unprivileged
>>libvirtd, regardless of whether they are also authorized to
>>connect to the privileged libvirtd (via socket permissions or
>>policykit, or kerberos). If the unprivileged user still wants
>>the privileged libvirtd, they should given an explicit URI.
>
>Hm... I didn't think this was going to be controversial :)
Maybe a less-controversial patch would be changing configure.ac to add a
configure option for the default URI string for non-privileged users?
Right now, the default is hard-coded to qemu:///session, but by letting
it be a configure choice, then it would be up to the end user (or
distro) whether to risk the default of qemu:///system as well as
exposing the socket as writable.
There is no compile time concept of default URI to make configurable.
If no URI is found, libvirt probes each hypervisor driver in turn.
As an end user though, you can edit $HOME/.bashrc and set the env
variable LIBVIRT_DEFAULT_URI to ensure a URI is always found before
it gets the probing logic.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5191
days inactive
5194
days old
16 comments
6 participants
participants (6)
-
Daniel P. Berrange -
Daniel Veillard -
Eric Blake -
Nigel Jones -
Soren Hansen -
Soren Hansen