Good proposition. Personally I would like to see support for Selinux and separation between VMs.
-- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Marcus" <shadow...@gmail.com> > To: dev@cloudstack.apache.org > Sent: Friday, 24 April, 2015 00:17:09 > Subject: KVM securing root > Has anyone had experience with securing the KVM agent, specifically > getting it to run as non-root. I've looked a bit, and I believe it > would require code changes. An initial, simple plan for this (that > involves code fixes) might be to do something like: > > 1) generate a list of included scripts during packaging and create a > file for /etc/sudoers.d to allow a cloudstack user to run these. User > and sudoers file are added by the package (?) > 2) make sure the libvirt socket is owned by the cloudstack group in > /etc/libvirt/libvirtd.conf > 3) change the code to pass the sudo boolean to every Script command > 4) audit for any other hardcoded root paths (e.g. the ssh keys dir) or > system commands needed > 5) change init script to launch agent as cloudstack user > > Obviously this doesn't go all the way into auditing how all of the > scripts act, or path issues, etc, but it could be a good first step. > It would protect against malicious strings passed as parameters to > these scripts, but perhaps not in cases were they might be escaped at > the first exec and run by the script itself. > > Alternatively, we could audit all of the scripts, adding sudo where > necessary and manually including those into a sudoers.d config. > > As an in-between, we could add all of the packaged scripts to a > sudoers file, and remove them slowly as we audit each script.