Has anyone had experience with securing the KVM agent, specifically getting it to run as non-root. I've looked a bit, and I believe it would require code changes. An initial, simple plan for this (that involves code fixes) might be to do something like:
1) generate a list of included scripts during packaging and create a file for /etc/sudoers.d to allow a cloudstack user to run these. User and sudoers file are added by the package (?) 2) make sure the libvirt socket is owned by the cloudstack group in /etc/libvirt/libvirtd.conf 3) change the code to pass the sudo boolean to every Script command 4) audit for any other hardcoded root paths (e.g. the ssh keys dir) or system commands needed 5) change init script to launch agent as cloudstack user Obviously this doesn't go all the way into auditing how all of the scripts act, or path issues, etc, but it could be a good first step. It would protect against malicious strings passed as parameters to these scripts, but perhaps not in cases were they might be escaped at the first exec and run by the script itself. Alternatively, we could audit all of the scripts, adding sudo where necessary and manually including those into a sudoers.d config. As an in-between, we could add all of the packaged scripts to a sudoers file, and remove them slowly as we audit each script.
