[libvirt] [BUG,RFC] directory traversal vulnerability / qemu: name→uuid

Hello, I just tried the following command with libvirt-0.9.5git: # virsh snapshot-create "$VM" /dev/stdin <<<'<domainsnapshot><name>../../../../../../etc/passwd</name></domainsnapshot>' "Luckily" it adds a .xml suffix, but this still looks like a security problem to me, because you can overwrite any .xml-file with libvirt gibberish. Actually this was found by a user trying to create a snapshot with an embedded /, which didn't work, because the sub-directory didn't exist. I know SELinux can solve this, but I really would prefer the Qemu driver to reject such names. Another problem is, that I sometimes would like to rename a VM to a new name, because the old name doesn't describe the VM good enough. <description> is not an option, because 1) Xen doesn't store it, and 2) virsh list doesn't show it. Renaming a Qemu-VM is currently impossible, since the name of the VM is used for several files and directories and a undefine+define would loose state: /etc/libvirt/qemu/$VM.xml /var/lib/libvirt/qemu/$VM.monitor /var/lib/libvirt/qemu/save/$VM.save /var/lib/libvirt/qemu/snapshot/$VM/$SNAPSHOT.xml (Renaming outside of libvirtd can be done by hand, but requires a restart of libvirtd to get it to reload it's state.) Compared to Xen and VirtualBox (as far as I know) they both use the UUID to name their files and directroy, which looks a lot more sane to me than using the name of the VM. Would it be possible and feasible to convert the Qemu driver to use the UUID instead for file and directory naming? Sincerely Philipp -- Philipp Hahn Open Source Software Engineer hahn(a)univention.de Univention GmbH Linux for Your Business fon: +49 421 22 232- 0 Mary-Somerville-Str.1 D-28359 Bremen fax: +49 421 22 232-99 http://www.univention.de/ ---------------------------------------------------------------------------- Treffen Sie Univention auf der IT&Business vom 20. bis 22. September 2011 auf dem Gemeinschaftsstand der Open Source Business Alliance in Stuttgart in Halle 3 Stand 3D27-7.