[libvirt] [PATCH] Default to qemu:///system if accessible
If no uri is passed to one of the virConnectOpen-ish calls, libvirt attempts to autoprobe a sensible URI. Part of the current logic checks for getuid() > 0, and if that check is succesful, a libvirtd daemon is spawned. This patch replaces this check with a call to access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the qemu:///system UNIX socket connect to that one by default instead of spawning a new libvirtd daemon. Signed-off-by: Soren Hansen <soren@linux2go.dk> --- src/remote/remote_driver.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index a945710..17e6ead 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn, if (!conn->uri) { DEBUG0("Auto-probe remote URI"); #ifndef __sun - if (getuid() > 0) { + if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) { DEBUG0("Auto-spawn user daemon instance"); rflags |= VIR_DRV_OPEN_REMOTE_USER; if (!autostart || -- 1.7.1
On Fri, Sep 03, 2010 at 03:28:58PM +0200, Soren Hansen wrote:
If no uri is passed to one of the virConnectOpen-ish calls, libvirt attempts to autoprobe a sensible URI. Part of the current logic checks for getuid() > 0, and if that check is succesful, a libvirtd daemon is spawned. This patch replaces this check with a call to access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the qemu:///system UNIX socket connect to that one by default instead of spawning a new libvirtd daemon.
Signed-off-by: Soren Hansen <soren@linux2go.dk> --- src/remote/remote_driver.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index a945710..17e6ead 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn, if (!conn->uri) { DEBUG0("Auto-probe remote URI"); #ifndef __sun - if (getuid() > 0) { + if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) { DEBUG0("Auto-spawn user daemon instance"); rflags |= VIR_DRV_OPEN_REMOTE_USER; if (!autostart ||
Hum, that sounds like a change of semantic. Before as non root you would span a local daemon, now you use the system one. I'm not saying it's a bad thing in most cases but it's a serious change, and we try to avoid those in general. Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
On 03-09-2010 15:59, Daniel Veillard wrote:
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index a945710..17e6ead 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn, if (!conn->uri) { DEBUG0("Auto-probe remote URI"); #ifndef __sun - if (getuid() > 0) { + if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) { DEBUG0("Auto-spawn user daemon instance"); rflags |= VIR_DRV_OPEN_REMOTE_USER; if (!autostart ||
Hum, that sounds like a change of semantic.
Depends. I think of the (getuid() > 0) as a check for whether you can access the privileged UNIX socket that simply doesn't take into account that users other than root may have been given this privilege by way of membership of the group owning the socket.
Before as non root you would span a local daemon, now you use the system one. I'm not saying it's a bad thing in most cases but it's a serious change, and we try to avoid those in general.
As I suggested in another e-mail a short while ago in this thread, I'm making this change to maintain the status quo in Ubuntu. We already do this in virsh and virt-viewer and something very, very similar in virt-manager. Someone recently dropped the virt-viewer patch by mistake, and I decided to make the change directly in libvirt to not change how libvirt has behaved for us in the past couple of years, so I can certainly relate to your desire to not change the behaviour. Personally, at least, I find this behaviour much more pleasant. On all my servers, I just grant whoever needs to be able to deal with the VM's on it access to the socket (by adding them to the libvirtd group), and that's it. I don't need to instruct them to set per-application environment variables or whatever. Generally, I use libvirt on two classes of machine: Workstations/laptops (where I'm functionally the only user), or on servers whose job is to run virtual machines and nothing else. In the former case, obviously I want to use the systemwide libvirtd to get access to all the fancy networking things. I have absolutely no motivation to use qemu:///session on there anymore. In the latter case, only people who are supposed to manage the virtual machines will have access to the server, and IMO they have no business running stuff under qemu:///session on that box. The only situation where I actually need qemu:///session is if I for some reason want to run a VM on a machine that isn't mine (neither in terms of ownership, nor responsibility). So far, that's never happened. It's cool that it's possible(!), but I've never needed it. -- Soren Hansen Ubuntu Developer http://www.ubuntu.com/
On Fri, Sep 03, 2010 at 11:04:21PM +0200, Soren Hansen wrote:
On 03-09-2010 15:59, Daniel Veillard wrote:
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index a945710..17e6ead 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -1086,7 +1086,7 @@ remoteOpen (virConnectPtr conn, if (!conn->uri) { DEBUG0("Auto-probe remote URI"); #ifndef __sun - if (getuid() > 0) { + if (access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK)) { DEBUG0("Auto-spawn user daemon instance"); rflags |= VIR_DRV_OPEN_REMOTE_USER; if (!autostart ||
Hum, that sounds like a change of semantic.
Depends. I think of the (getuid() > 0) as a check for whether you can access the privileged UNIX socket that simply doesn't take into account that users other than root may have been given this privilege by way of membership of the group owning the socket.
Before as non root you would span a local daemon, now you use the system one. I'm not saying it's a bad thing in most cases but it's a serious change, and we try to avoid those in general.
As I suggested in another e-mail a short while ago in this thread, I'm making this change to maintain the status quo in Ubuntu. We already do this in virsh and virt-viewer and something very, very similar in virt-manager. Someone recently dropped the virt-viewer patch by mistake, and I decided to make the change directly in libvirt to not change how libvirt has behaved for us in the past couple of years, so I can certainly relate to your desire to not change the behaviour.
Personally, at least, I find this behaviour much more pleasant. On all my servers, I just grant whoever needs to be able to deal with the VM's on it access to the socket (by adding them to the libvirtd group), and that's it. I don't need to instruct them to set per-application environment variables or whatever.
Generally, I use libvirt on two classes of machine: Workstations/laptops (where I'm functionally the only user), or on servers whose job is to run virtual machines and nothing else.
In the former case, obviously I want to use the systemwide libvirtd to get access to all the fancy networking things. I have absolutely no motivation to use qemu:///session on there anymore.
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore. Enabing use of qemu://session is key to solving a number of important security problems, not least that a user should be able to just keep the disk & iso images in their home directory and not have to worry about their ownership/permissions. In addition by running VMs directly under the user's session things like pulseaudio, SDL can directly access the X & GNOME sessions without further special config.
In the latter case, only people who are supposed to manage the virtual machines will have access to the server, and IMO they have no business running stuff under qemu:///session on that box.
This is ignoring two important use cases which are common in the corporate world. Shared development servers where many users are on one server, and personal workstations where the users are not allowed to have root. The thing about heuristics is that they're never correct for everyone. Your patch is making it more correct for one group of people, and less correct for a different group of people. Further making a significant functional change to libvirt that will break things for people that are relying on the existing behaviour. If someone wants to save typing they need merely set LIBVIRT_CONNECT_URI to whatever they want and thus avoid the default connection logic completely. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore
Fair enough, but when that happens, I'm supposing people won't have access to the system-wide UNIX socket anymore.
Enabing use of qemu://session is key to solving a number of important security problems, not least that a user should be able to just keep the disk & iso images in their home directory and not have to worry about their ownership/permissions.
True.
In addition by running VMs directly under the user's session things like pulseaudio, SDL can directly access the X & GNOME sessions without further special config.
I was under the impression that currently targeted solution to at least the audio problem was tunelling through VNC?
This is ignoring two important use cases which are common in the corporate world. Shared development servers where many users are on one server, and personal workstations where the users are not allowed to have root.
I disagree. In both of those cases, I'd be surprised if people were able to access the privileged libvirtd socket. In the former case, if people generally had access to the systemwide libvirtd instance, I'd assume that was because that was the one they were supposed to use for their shared development stuff. In the latter case, with that sort of access, I could have full root shell access within minutes, so that'd be a pretty big security fail.
The thing about heuristics is that they're never correct for everyone. Your patch is making it more correct for one group of people, and less correct for a different group of people. Further making a significant functional change to libvirt that will break things for people that are relying on the existing behaviour.
I understand the difficulty of heuristics. That's exactly why I think this discussion is useful: It seeks to determine the accuracy of the current heuristic, which I claim is inaccurate in all but extraordinary cases.
If someone wants to save typing they need merely set LIBVIRT_CONNECT_URI to whatever they want and thus avoid the default connection logic completely.
As you point out to Eric elsewhere in this thread, this is about adjusting the behaviour of the heuristic, not about just providing a default URI. I admit, though, that I did not know of the environment variable to do this, which is called LIBVIRT_DEFAULT_URI, by the way :) -- Soren Hansen Ubuntu Developer http://www.ubuntu.com/
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore
Fair enough, but when that happens, I'm supposing people won't have access to the system-wide UNIX socket anymore.
No, we won't change access to the system instance, the policy for that is already configurable per-host by admins if they so desire. It is more a case of making virt-manager use the qemu:///session uri by default, rather than a change in libvirtd.
In addition by running VMs directly under the user's session things like pulseaudio, SDL can directly access the X & GNOME sessions without further special config.
I was under the impression that currently targeted solution to at least the audio problem was tunelling through VNC?
Yep, that is another piece of work - they're not mutually exclusive, since the audio-over-VNC functionality is useful for remote access across the network, as well as local system access.
This is ignoring two important use cases which are common in the corporate world. Shared development servers where many users are on one server, and personal workstations where the users are not allowed to have root.
I disagree. In both of those cases, I'd be surprised if people were able to access the privileged libvirtd socket. In the former case, if people generally had access to the systemwide libvirtd instance, I'd assume that was because that was the one they were supposed to use for their shared development stuff. In the latter case, with that sort of access, I could have full root shell access within minutes, so that'd be a pretty big security fail.
You are equating access to the UNIX socket, with authorization to the unix socket. With PolicyKit auth enabled by default, the UNIX socket is mode 0777 at all times, but this does not imply that all users are able to use it. They can connect, but if PolicyKit denies them, their connection will be dropped by the server. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 06-09-2010 12:24, Daniel P. Berrange wrote:
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore Fair enough, but when that happens, I'm supposing people won't have access to the system-wide UNIX socket anymore. No, we won't change access to the system instance, the policy for
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote: that is already configurable per-host by admins if they so desire.
Yes, that's what I meant. If qemu:///session turns useful enough, admins won't give users access to the privileged UNIX socket.
I disagree. In both of those cases, I'd be surprised if people were able to access the privileged libvirtd socket. In the former case, if people generally had access to the systemwide libvirtd instance, I'd assume that was because that was the one they were supposed to use for their shared development stuff. In the latter case, with that sort of access, I could have full root shell access within minutes, so that'd be a pretty big security fail. You are equating access to the UNIX socket, with authorization to the unix socket.
Indeed I am.
With PolicyKit auth enabled by default, the UNIX socket is mode 0777 at all times, but this does not imply that all users are able to use it. They can connect, but if PolicyKit denies them, their connection will be dropped by the server.
Fascinating. I had no idea. That's a very convincing argument :) What if I could come up with a check for whether the user would be authorized to access the socket? Like including a auth_unix_rw == "none" condition in the check? Would that change your view at all? -- Soren Hansen Ubuntu Developer http://www.ubuntu.com/
On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
On 06-09-2010 12:24, Daniel P. Berrange wrote:
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore Fair enough, but when that happens, I'm supposing people won't have access to the system-wide UNIX socket anymore. No, we won't change access to the system instance, the policy for
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote: that is already configurable per-host by admins if they so desire.
Yes, that's what I meant. If qemu:///session turns useful enough, admins won't give users access to the privileged UNIX socket.
Or they'll leave the permissions 0777 and simply change the policykit rule to deny access, or they'll not change anything, and simply not tell the user the root password, which is what's required to be entered with policykit to access qemu:///system.
I disagree. In both of those cases, I'd be surprised if people were able to access the privileged libvirtd socket. In the former case, if people generally had access to the systemwide libvirtd instance, I'd assume that was because that was the one they were supposed to use for their shared development stuff. In the latter case, with that sort of access, I could have full root shell access within minutes, so that'd be a pretty big security fail. You are equating access to the UNIX socket, with authorization to the unix socket.
Indeed I am.
Therein lies the flaw in this approach.
With PolicyKit auth enabled by default, the UNIX socket is mode 0777 at all times, but this does not imply that all users are able to use it. They can connect, but if PolicyKit denies them, their connection will be dropped by the server.
Fascinating. I had no idea. That's a very convincing argument :)
What if I could come up with a check for whether the user would be authorized to access the socket? Like including a auth_unix_rw == "none" condition in the check? Would that change your view at all?
PolicyKit is just one example I happened to pick, the same logic applies to any of the other authentication/authorization methods that libvirtd applies. Any check based on socket permissions is fundamentally flawed, even with auth_unix_rw="none" (which you can't check because a non-root user can't read /etc/libvirt/libvirtd.conf), when we add role based access control, you may be able to connect to the 'rw' socket, but have no more privileges than on the 'ro' socket. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 06-09-2010 13:22, Daniel P. Berrange wrote:
On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
On 06-09-2010 12:24, Daniel P. Berrange wrote:
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore Fair enough, but when that happens, I'm supposing people won't have access to the system-wide UNIX socket anymore. No, we won't change access to the system instance, the policy for that is already configurable per-host by admins if they so desire. Yes, that's what I meant. If qemu:///session turns useful enough, admins won't give users access to the privileged UNIX socket. Or they'll leave the permissions 0777 and simply change the policykit rule to deny access, or they'll not change anything, and simply not tell the user the root password, which is what's required to be entered with policykit to access qemu:///system.
I understand. I wrote the above under the (false) assumption that having write access to the UNIX socket implied having privileges to the system's libvirtd.
I disagree. In both of those cases, I'd be surprised if people were able to access the privileged libvirtd socket. In the former case, if people generally had access to the systemwide libvirtd instance, I'd assume that was because that was the one they were supposed to use for their shared development stuff. In the latter case, with that sort of access, I could have full root shell access within minutes, so that'd be a pretty big security fail. You are equating access to the UNIX socket, with authorization to the unix socket. Indeed I am. Therein lies the flaw in this approach.
Yes, I learned that a few lines further down. :)
With PolicyKit auth enabled by default, the UNIX socket is mode 0777 at all times, but this does not imply that all users are able to use it. They can connect, but if PolicyKit denies them, their connection will be dropped by the server. Fascinating. I had no idea. That's a very convincing argument :) What if I could come up with a check for whether the user would be authorized to access the socket? Like including a auth_unix_rw == "none" condition in the check? Would that change your view at all? PolicyKit is just one example I happened to pick,
auth_unix_rw == "none" was also just an example.
the same logic applies to any of the other authentication/authorization methods that libvirtd applies.
Of course.
Any check based on socket permissions is fundamentally flawed,
I feel the same way about one that is based on uid, to be honest.
even with auth_unix_rw="none" (which you can't check because a non-root user can't read /etc/libvirt/libvirtd.conf),
On Ubuntu, /etc/libvirt/libvirtd.conf is mode 0644? Should I be worried about that? A quick glance in there doesn't reveal anything that I'm uncomfortable disclosing.
when we add role based access control, you may be able to connect to the 'rw' socket, but have no more privileges than on the 'ro' socket.
In that particular case, I could also check for whether RBAC was enabled, but that's really beside the point right now. My question was a general one: Assuming I can determine that a given user is authorized to manage the systemwide libvirtd, would you agree that that is the one they're most likely to want to access? I simply cannot think up a realistic example use case where someone has this privilege, but actually wants to access qemu:///session. -- Soren Hansen Ubuntu Developer http://www.ubuntu.com/
On Mon, Sep 06, 2010 at 02:03:08PM +0200, Soren Hansen wrote:
On 06-09-2010 13:22, Daniel P. Berrange wrote:
On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
On 06-09-2010 12:24, Daniel P. Berrange wrote:
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote:
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore Fair enough, but when that happens, I'm supposing people won't have access to the system-wide UNIX socket anymore. No, we won't change access to the system instance, the policy for that is already configurable per-host by admins if they so desire. Yes, that's what I meant. If qemu:///session turns useful enough, admins won't give users access to the privileged UNIX socket. Or they'll leave the permissions 0777 and simply change the policykit rule to deny access, or they'll not change anything, and simply not tell the user the root password, which is what's required to be entered with policykit to access qemu:///system.
I understand. I wrote the above under the (false) assumption that having write access to the UNIX socket implied having privileges to the system's libvirtd.
I disagree. In both of those cases, I'd be surprised if people were able to access the privileged libvirtd socket. In the former case, if people generally had access to the systemwide libvirtd instance, I'd assume that was because that was the one they were supposed to use for their shared development stuff. In the latter case, with that sort of access, I could have full root shell access within minutes, so that'd be a pretty big security fail. You are equating access to the UNIX socket, with authorization to the unix socket. Indeed I am. Therein lies the flaw in this approach.
Yes, I learned that a few lines further down. :)
With PolicyKit auth enabled by default, the UNIX socket is mode 0777 at all times, but this does not imply that all users are able to use it. They can connect, but if PolicyKit denies them, their connection will be dropped by the server. Fascinating. I had no idea. That's a very convincing argument :) What if I could come up with a check for whether the user would be authorized to access the socket? Like including a auth_unix_rw == "none" condition in the check? Would that change your view at all? PolicyKit is just one example I happened to pick,
auth_unix_rw == "none" was also just an example.
the same logic applies to any of the other authentication/authorization methods that libvirtd applies.
Of course.
Any check based on socket permissions is fundamentally flawed,
I feel the same way about one that is based on uid, to be honest.
even with auth_unix_rw="none" (which you can't check because a non-root user can't read /etc/libvirt/libvirtd.conf),
On Ubuntu, /etc/libvirt/libvirtd.conf is mode 0644? Should I be worried about that? A quick glance in there doesn't reveal anything that I'm uncomfortable disclosing.
The /etc/libvirt directory itself should be 0700 though, since various files under that location include passwords (qemu.conf, secrets/*, qemu/*xml, lxc/*xml, uml/*xml). We don't currently have any passwords in libvirtd.conf itself, but its certainly possible this might change in the future. While it is possible to rely on getting each individual file there to have correct permissions, IMHO it is safer to make the /etc/libvirt directory 0700
when we add role based access control, you may be able to connect to the 'rw' socket, but have no more privileges than on the 'ro' socket.
In that particular case, I could also check for whether RBAC was enabled, but that's really beside the point right now. My question was a general one: Assuming I can determine that a given user is authorized to manage the systemwide libvirtd, would you agree that that is the one they're most likely to want to access? I simply cannot think up a realistic example use case where someone has this privilege, but actually wants to access qemu:///session.
No, I don't agree. I already mentioned the reasons why it is desirable to run within the user session - SDL, audio, disk permissions, and to add another one gnome-keyring integration for qcow2 passwords which is a future feature we'd like for the secrets driver. IMHO if we are to get better integration into the user's desktop experiance, then having both libvirtd & the VMs running in the user's context, rather than a separate context is key. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 06-09-2010 14:18, Daniel P. Berrange wrote:
On Ubuntu, /etc/libvirt/libvirtd.conf is mode 0644? Should I be worried about that? A quick glance in there doesn't reveal anything that I'm uncomfortable disclosing. The /etc/libvirt directory itself should be 0700 though,
Nope, it's 0755. :( I'll look into getting that fixed.
since various files under that location include passwords (qemu.conf, secrets/*, qemu/*xml, lxc/*xml, uml/*xml). We don't currently have any passwords in libvirtd.conf itself, but its certainly possible this might change in the future. While it is possible to rely on getting each individual file there to have correct permissions, IMHO it is safer to make the /etc/libvirt directory 0700
Makes sense. Thanks for pointing this out. I've never used passwords in any of these files myself, so I never really gave it much thought :(
Assuming I can determine that a given user is authorized to manage the systemwide libvirtd, would you agree that that is the one they're most likely to want to access? I simply cannot think up a realistic example use case where someone has this privilege, but actually wants to access qemu:///session. No, I don't agree. I already mentioned the reasons why it is desirable to run within the user session - SDL, audio, disk permissions, and to add another one gnome-keyring integration for qcow2 passwords which is a future feature we'd like for the secrets driver. IMHO if we are to get better integration into the user's desktop experiance, then having both libvirtd & the VMs running in the user's context, rather than a separate context is key.
Yes, of course, when qemu:///session gets this smart and cool you will want to access qemu:///session by default. At /exactly/ the same time, the motivation for setting yourself up with access to qemu:///system disappears. When that motivation is gone, any admin worth his salt will immediately revoke said access (in the shared scenario) (since it's a gaping security hole) and voilĂ , libvirt will go back to using qemu:///session by default. -- Soren Hansen Ubuntu Developer http://www.ubuntu.com/
On Mon, Sep 06, 2010 at 01:07:34PM +0200, Soren Hansen wrote:
On 06-09-2010 12:24, Daniel P. Berrange wrote:
On 06-09-2010 11:17, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore Fair enough, but when that happens, I'm supposing people won't have access to the system-wide UNIX socket anymore. No, we won't change access to the system instance, the policy for
On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote: that is already configurable per-host by admins if they so desire.
Yes, that's what I meant. If qemu:///session turns useful enough, admins won't give users access to the privileged UNIX socket.
I disagree. In both of those cases, I'd be surprised if people were able to access the privileged libvirtd socket. In the former case, if people generally had access to the systemwide libvirtd instance, I'd assume that was because that was the one they were supposed to use for their shared development stuff. In the latter case, with that sort of access, I could have full root shell access within minutes, so that'd be a pretty big security fail. You are equating access to the UNIX socket, with authorization to the unix socket.
Indeed I am.
With PolicyKit auth enabled by default, the UNIX socket is mode 0777 at all times, but this does not imply that all users are able to use it. They can connect, but if PolicyKit denies them, their connection will be dropped by the server.
Fascinating. I had no idea. That's a very convincing argument :)
What if I could come up with a check for whether the user would be authorized to access the socket? Like including a auth_unix_rw == "none" condition in the check? Would that change your view at all?
Speaking personally and as a user here, I think qemu://session is a good thing, I think the process of giving users elevated permissions to use qemu+KVM has been a bad thing for a while now and any attempts at correcting this behaviour is a positive step. If someone is in an environment where they need to manage the system qemu instance (i.e. production environments) then I would imagine that they would be aware that they need to connect 'somewhere else'. If the environment variable suggested before already exists (sorry couldn't tell) then that is enough to allow those companies to change the default behaviour. My 2 cents.
On Mon, Sep 06, 2010 at 10:17:17AM +0100, Daniel P. Berrange wrote:
Our goal is to improve qemu://session's networking such that this isn't a reason to use qemu://system anymore.
BTW, some ideas we have for attacking this problem are - Add support to network manager to create TAP devices on behalf of the logged in user. Thus libvirt would talk to NM over dbus and ask it to create a TAP device, which we then pass to QEMU in the normal manner. Thus neither libvirtd or QEMU need higher privileges. This also requires NM to understand bridging setup. - Integrate with VDE as the solution for the 'virtual network' functionality in libvirt. This improves on 'user' networking mode by allowing VMs to talk to each other, out of the box they still have slirp based access to the outside world. It is possible to make VDE use a TAP device for connectivity to the outside world, so either the admin can set one up, or again we can ask network manager todo it, which in this case doesn't require full bridging support - just NAT which NM can already do via its 'connection sharing' feature. - A setuid helper program that libvirtd can use for setting up TAP devices. This is just a crappier version of getting network manager todo it for us. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On Fri, Sep 03, 2010 at 03:28:58PM +0200, Soren Hansen wrote:
If no uri is passed to one of the virConnectOpen-ish calls, libvirt attempts to autoprobe a sensible URI. Part of the current logic checks for getuid() > 0, and if that check is succesful, a libvirtd daemon is spawned. This patch replaces this check with a call to access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the qemu:///system UNIX socket connect to that one by default instead of spawning a new libvirtd daemon.
NACK, I don't think we should be changing this. If the user is unprivileged, it should always default to the unprivileged libvirtd, regardless of whether they are also authorized to connect to the privileged libvirtd (via socket permissions or policykit, or kerberos). If the unprivileged user still wants the privileged libvirtd, they should given an explicit URI. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 03-09-2010 16:08, Daniel P. Berrange wrote:
If no uri is passed to one of the virConnectOpen-ish calls, libvirt attempts to autoprobe a sensible URI. Part of the current logic checks for getuid() > 0, and if that check is succesful, a libvirtd daemon is spawned. This patch replaces this check with a call to access(LIBVIRTD_PRIV_UNIX_SOCKET, W_OK) so that users with access to the qemu:///system UNIX socket connect to that one by default instead of spawning a new libvirtd daemon. NACK, I don't think we should be changing this. If the user is unprivileged, it should always default to the unprivileged libvirtd, regardless of whether they are also authorized to connect to the privileged libvirtd (via socket permissions or policykit, or kerberos). If the unprivileged user still wants the privileged libvirtd, they should given an explicit URI.
Hm... I didn't think this was going to be controversial :) I firmly believe that if a user has access to the privileged libvirt daemon, that's the one he'll want to interact with in all but extraordinary cases. I consider it very analogous to how virt-manager doesn't even offer usermode networking if you're connected to qemu:///system, since if you aren't stuck with usermode networking, there's no reason to use it (other than to prove this statement wrong). Ubuntu has carried patches for this for virsh, virt-manager, and virt-viewer for a while now (at least a year and a half). I'm not sure if they've been submitted here (or to et-mgmt-tools) before (and if not, why not), but that's the lay of the land, and I've had nothing but good feedback on it. Now I just wanted to fix it properly (directly in libvirt) and get it upstream. It's certainly saved me a lot of typing. -- Soren Hansen Ubuntu Developer http://www.ubuntu.com/
On 09/03/2010 02:38 PM, Soren Hansen wrote:
NACK, I don't think we should be changing this. If the user is unprivileged, it should always default to the unprivileged libvirtd, regardless of whether they are also authorized to connect to the privileged libvirtd (via socket permissions or policykit, or kerberos). If the unprivileged user still wants the privileged libvirtd, they should given an explicit URI.
Hm... I didn't think this was going to be controversial :)
Maybe a less-controversial patch would be changing configure.ac to add a configure option for the default URI string for non-privileged users? Right now, the default is hard-coded to qemu:///session, but by letting it be a configure choice, then it would be up to the end user (or distro) whether to risk the default of qemu:///system as well as exposing the socket as writable. -- Eric Blake eblake@redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org
On Fri, Sep 03, 2010 at 02:50:00PM -0600, Eric Blake wrote:
On 09/03/2010 02:38 PM, Soren Hansen wrote:
NACK, I don't think we should be changing this. If the user is unprivileged, it should always default to the unprivileged libvirtd, regardless of whether they are also authorized to connect to the privileged libvirtd (via socket permissions or policykit, or kerberos). If the unprivileged user still wants the privileged libvirtd, they should given an explicit URI.
Hm... I didn't think this was going to be controversial :)
Maybe a less-controversial patch would be changing configure.ac to add a configure option for the default URI string for non-privileged users? Right now, the default is hard-coded to qemu:///session, but by letting it be a configure choice, then it would be up to the end user (or distro) whether to risk the default of qemu:///system as well as exposing the socket as writable.
There is no compile time concept of default URI to make configurable. If no URI is found, libvirt probes each hypervisor driver in turn. As an end user though, you can edit $HOME/.bashrc and set the env variable LIBVIRT_DEFAULT_URI to ensure a URI is always found before it gets the probing logic. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
participants (6)
-
Daniel P. Berrange -
Daniel Veillard -
Eric Blake -
Nigel Jones -
Soren Hansen -
Soren Hansen