On Mon, Nov 16, 2020 at 7:12 AM yebiaoxiang <yebiaoxiang(a)huawei.com> wrote:
Hi Team
The daemon libvirtd runs as root user, which against the least privilege
security model.
root 567642 1.2 0.0 2856020 47576 ? Ssl 15:49 0:02 /usr/sbin/libvirtd --listen
In addition, the "--listen" parameter exposes TCP or TLS ports on the network,
it increasing the attack surface.
tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN 647824/libvirtd
tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 647824/libvirtd
I have the following puzzles:
1. Whether root is the least privilege required for libvirtd to manage
virtualization platforms, it's possible to run libvirtd as a non-root user?
2. Is there any plan to resolve this security weaknesses?
(like move the function of "--listen" to an independent non-root process,
or other better schemes)
While generally this is a good idea (and libvirt has been splitting
out functionality into separate daemons for improving security around
the service in general), I'm wondering if you looked at what libvirt
is supposed to do and how it works today.
Note that at least on reasonable distribution configurations,
"--listen" is no longer used by default (at least not for a couple of
years now), and even in socket-activated mode, listening on IP sockets
(TCP/TLS) requires some configuration before it works. At least out of
the box, it crashes with a not-configured error. So some interaction
is required to configure and activate that mode.
While it is possible to run libvirtd as a non-root user, it's quite
annoying to do so and requires sufficient amount of hoop-jumping
(granting access to KVM socket, ensuring it has ability to bind to
ports, configuring network, etc.) that it's easier to run it as root
and then impose rules to effectively deprivilege it by other means
(SELinux, daemon separation, etc.).
Unless you're running a version of libvirt from before 2018, I think
that your concerns are fairly well resolved.
P.S.: Your Cc for your colleagues was malformed. I fixed it in my reply.
--
真実はいつも一つ!/ Always, there's only one truth!