Re: [libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file
On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
I found there's a way for a unprivileged user to overwrite
sensitive
system file with virsh, here's how:
1. (as an unprivileged user) start virsh and connect to the r/w
socket of libvirtd:
virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.
2. start a guest, then issue 'save' or 'dump'
command, giving a
sensitive system file path as the <file> parameter, for example,
'/etc/passwd';
3. the sensitive system file will be overwritten;
There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|