4:49 a.m.
Hi all,
When we change the user for QEMU process (change "user" and "group"
in
/etc/libvirt/qemu.conf) to a normal user, we found that libvirtd will
also change the ownership of /var/cache/libvirt/qemu but will keep the
ownership of /var/cache/libvirt/qemu/capabilities as root.
Is it secure to put files/directories owned by root in a directory
owned by a normal user? Could the normal user replace the root's file
with a new one? Does it need to set sticky bit on
/var/cache/libvirt/qemu or keep the ownership of /var/cache/libvirt/qemu
as root?
2:57 a.m.
On 8/22/21 11:49 AM, Peng Liang wrote:
Hi all,
When we change the user for QEMU process (change "user" and "group"
in
/etc/libvirt/qemu.conf) to a normal user, we found that libvirtd will
also change the ownership of /var/cache/libvirt/qemu but will keep the
ownership of /var/cache/libvirt/qemu/capabilities as root.
Is it secure to put files/directories owned by root in a directory
owned by a normal user? Could the normal user replace the root's file
with a new one?
No, the capabilities directory lacks write perms:
drwxr-xr-x 2 root root 234 Aug 20 17:11
/var/cache/libvirt/qemu/capabilities/
and caps files themselves are RW by root only:
-rw------- 1 root root 144215 Aug 20 15:38
926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
Therefore, I don't think a regular user could spoof capabilities.
Does it need to set sticky bit on
/var/cache/libvirt/qemu or keep the ownership of /var/cache/libvirt/qemu
as root?
No, setting sticky bit would make caps files owned by root:group and I
don't think we want that (even though, not even group can write caps files).
I hope this answers your concern.
Michal
3:22 a.m.
On 8/23/2021 3:57 PM, Michal Prívozník wrote:
On 8/22/21 11:49 AM, Peng Liang wrote:
> Hi all,
> When we change the user for QEMU process (change "user" and
"group" in
> /etc/libvirt/qemu.conf) to a normal user, we found that libvirtd will
> also change the ownership of /var/cache/libvirt/qemu but will keep the
> ownership of /var/cache/libvirt/qemu/capabilities as root.
> Is it secure to put files/directories owned by root in a directory
> owned by a normal user? Could the normal user replace the root's file
> with a new one?
No, the capabilities directory lacks write perms:
drwxr-xr-x 2 root root 234 Aug 20 17:11
/var/cache/libvirt/qemu/capabilities/
and caps files themselves are RW by root only:
-rw------- 1 root root 144215 Aug 20 15:38
926803a9278e445ec919c2b6cbd8c1c449c75b26dcb1686b774314180376c725.xml
Therefore, I don't think a regular user could spoof capabilities.
But the regular user can rename capabilities and create a new one. For
example,
# runuser -u qemu -- mv /var/cache/libvirt/qemu/capabilities
/var/cache/libvirt/qemu/capabilities-bak
# runuser -u qemu -- mkdir /var/cache/libvirt/qemu/capabilities
runuser -u qemu -- touch /var/cache/libvirt/qemu/capabilities/<hash>.xml
And I found that the operations can be done even though the sticky bit
is set on /var/cache/libvirt/qemu :(
> Does it need to set sticky bit on
> /var/cache/libvirt/qemu or keep the ownership of /var/cache/libvirt/qemu
> as root?
>
No, setting sticky bit would make caps files owned by root:group and I
don't think we want that (even though, not even group can write caps files).
I hope this answers your concern.
I found that libvirt will put some temporary files (e.g. screenshot
files) which are used by qemu in /var/cache/libvirt/qemu. How about
move those files to domain dirs in /var/run/libvirt/qemu and keep the
ownership of /var/cache/libvirt/qemu as root?
Thanks,
Peng
Michal
.
1187
days inactive
1188
days old
2 comments
2 participants
participants (2)
-
Michal Prívozník -
Peng Liang