On Wed, Aug 01, 2007 at 01:06:22PM -0400, Dimitry Golubovsky wrote: > Daniel, > > On 8/1/07, Daniel P. Berrange <[EMAIL PROTECTED]> wrote: > > > Unless you whitelist which monitor commands it can run this would be a > > significant security hole. eg a guest could run > > > > 'usb_add disk /some/path' > > > > To get access to arbitrary files & disks from the host. > > > > If we assume that kvm runs under root, yes (and if kvm finds out it > runs under root, it might disable such access to monitor). I have > written a suid wrapper (very simple) that does whatever necessary > under root, and then drops to user privileges, then execs kvm, so > these actions will be limited by Linux multi-user mechanisms as usual. > In my daily practice, I run kvm under my user privileges, and it works > fine.
It can be a problem even if running as an unprivileged user, since the guest can read/write any files owned by that user - for example other guest disk images the user may have in their home dir. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ kvm-devel mailing list kvm-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/kvm-devel
