Control: retitle -1 Please drop 60-qemu-system-common.rules Control: tags -1 + patch
Am 23.07.2018 um 09:08 schrieb Guido Günther: > Hi, > On Tue, Jul 10, 2018 at 12:06:13AM +0200, Michael Biebl wrote: >> Am 09.07.2018 um 20:37 schrieb Ben Hutchings: >> >>> It is fairly mature, but it still has a large attack surface and >>> occasional security issues that can be exploited by the VM owner. So I >>> think it make sense to restrict access to the kvm group and local >>> logins. This should mitigate the security issues on multiuser systems >>> without too much disruption. >> >> Ok, let's go with 0660 (root:kvm) + uaccess then >> I'll include that in the next upload of udev. > > Thanks a lot! This makes it a lot simpler for users to run qemu:///session. This has happened in systemd/udev 239-6 [1] It should now be safe to drop /lib/udev/rules.d/60-qemu-system-common.rules and the creation of the kvm system group from qemu-system-common.postinst. So retitling the bug report accordingly. Please consider applying the attached patch in one of your next uploads Regards, Michael [1] https://salsa.debian.org/systemd-team/systemd/commit/4fc3fa53bfa6e16ceb6cd312f49003839b56144a -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
From ddfd9a98f2dc66889de7b4101636f3b08fcf2aa2 Mon Sep 17 00:00:00 2001 From: Michael Biebl <bi...@debian.org> Date: Mon, 23 Jul 2018 10:57:45 +0200 Subject: [PATCH] Drop 60-qemu-system-common.rules and postinst which creates group kvm The udev package now takes care to setup /dev/kvm with the proper permissions. --- debian/qemu-system-common.postinst | 27 --------------------------- debian/qemu-system-common.udev | 1 - 2 files changed, 28 deletions(-) delete mode 100644 debian/qemu-system-common.postinst delete mode 100644 debian/qemu-system-common.udev diff --git a/debian/qemu-system-common.postinst b/debian/qemu-system-common.postinst deleted file mode 100644 index 336a4190e2..0000000000 --- a/debian/qemu-system-common.postinst +++ /dev/null @@ -1,27 +0,0 @@ -#! /bin/sh - -set -e - -if [ "$1" = configure ] ; then - # Add the kvm group unless it's already there - if ! getent group kvm >/dev/null; then - addgroup --quiet --system kvm || true - fi -fi - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. -#DEBHELPER# - -# if we just installed the package, udev rules aren't picked up yet, -# so udev may have created the device (/dev/kvm) with default permissions. -# Fix it here, but only if the perms are like default. -# (See #607391) - -if [ -c /dev/kvm -a ! -L /dev/kvm ] && [ .$(stat -c %u%g /dev/kvm) = .00 ] -then - chgrp kvm /dev/kvm - chmod 0660 /dev/kvm -fi - -exit 0 diff --git a/debian/qemu-system-common.udev b/debian/qemu-system-common.udev deleted file mode 100644 index c2f7317aac..0000000000 --- a/debian/qemu-system-common.udev +++ /dev/null @@ -1 +0,0 @@ -KERNEL=="kvm", GROUP="kvm", MODE="0660" -- 2.18.0
signature.asc
Description: OpenPGP digital signature