[libvirt] improve security by adjusting the privileges of libvirtd processes
Hi Team The daemon libvirtd runs as root user, which against the least privilege security model. root 567642 1.2 0.0 2856020 47576 ? Ssl 15:49 0:02 /usr/sbin/libvirtd --listen In addition, the "--listen" parameter exposes TCP or TLS ports on the network, it increasing the attack surface. tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN 647824/libvirtd tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 647824/libvirtd I have the following puzzles: 1. Whether root is the least privilege required for libvirtd to manage virtualization platforms, it's possible to run libvirtd as a non-root user? 2. Is there any plan to resolve this security weaknesses? (like move the function of "--listen" to an independent non-root process, or other better schemes) Regards, BiaoXiang
On Mon, Nov 16, 2020 at 7:12 AM yebiaoxiang <yebiaoxiang@huawei.com> wrote:
Hi Team
The daemon libvirtd runs as root user, which against the least privilege security model.
root 567642 1.2 0.0 2856020 47576 ? Ssl 15:49 0:02 /usr/sbin/libvirtd --listen
In addition, the "--listen" parameter exposes TCP or TLS ports on the network, it increasing the attack surface.
tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN 647824/libvirtd tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 647824/libvirtd
I have the following puzzles: 1. Whether root is the least privilege required for libvirtd to manage virtualization platforms, it's possible to run libvirtd as a non-root user?
2. Is there any plan to resolve this security weaknesses? (like move the function of "--listen" to an independent non-root process, or other better schemes)
While generally this is a good idea (and libvirt has been splitting out functionality into separate daemons for improving security around the service in general), I'm wondering if you looked at what libvirt is supposed to do and how it works today. Note that at least on reasonable distribution configurations, "--listen" is no longer used by default (at least not for a couple of years now), and even in socket-activated mode, listening on IP sockets (TCP/TLS) requires some configuration before it works. At least out of the box, it crashes with a not-configured error. So some interaction is required to configure and activate that mode. While it is possible to run libvirtd as a non-root user, it's quite annoying to do so and requires sufficient amount of hoop-jumping (granting access to KVM socket, ensuring it has ability to bind to ports, configuring network, etc.) that it's easier to run it as root and then impose rules to effectively deprivilege it by other means (SELinux, daemon separation, etc.). Unless you're running a version of libvirt from before 2018, I think that your concerns are fairly well resolved. P.S.: Your Cc for your colleagues was malformed. I fixed it in my reply. -- 真実はいつも一つ!/ Always, there's only one truth!
participants (2)
-
Neal Gompa -
yebiaoxiang