On Tue, Mar 22, 2022 at 05:10:07PM +0100, Laszlo Ersek wrote:
> On 03/22/22 15:35, Richard W.M. Jones wrote:
> > When using the libvirt backend and running as root, libvirt will run
> > qemu as a non-root user (eg. qemu:qemu). The v2v directory stores NBD
> > endpoints that qemu must be able to open and so we set the directory
> > to mode 0711. Unfortunately this permits any non-root user to open
> > the sockets (since, by design, they have predictable names within the
> > directory).
>
> Are the NBD socket pathnames visible on the QEMU command line ("ps -ef"
> or "ps auxwww")?
>
> If not, then the issue could be prevented by inserting a directory with
> a hard-to-guess name in the middle (e.g. one named by uuidgen).
Unfortunately yes they're visible in "ps", and anyway we want these to
be well-known paths (for the _same_ user!)
> > So instead of using directory permissions, use an ACL which allows us
> > to precisely give access to the qemu user and no one else.
>
> If we may assume the "qemu" user name (and we're root), we can just give
> qemu:root ownership to the directory, and file mode bits 0700. The qemu
> user will have access, and v2v (running as root) will not be hindered by
> a theoretical lack of access rights.
This might not be a bad idea actually. Root ignores permissions
usually as you say.
> > Reported-by: Xiaodai Wang
> > Thanks: Dr David Gilbert
> > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2066773
> > ---
> > lib/utils.ml | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/utils.ml b/lib/utils.ml
> > index 757bc73c8e..5623250832 100644
> > --- a/lib/utils.ml
> > +++ b/lib/utils.ml
> > @@ -158,8 +158,12 @@ let error_if_no_ssh_agent () =
> > (* Create the directory containing inX and outX sockets. *)
> > let create_v2v_directory () =
> > let d = Mkdtemp.temp_dir "v2v." in
> > + (* If running as root, and if the backend is libvirt, libvirt
> > + * will run qemu as a non-root user. Allow qemu to open the directory.
> > + *)
> > let running_as_root = Unix.geteuid () = 0 in
> > - if running_as_root then Unix.chmod d 0o711;
> > + if running_as_root && backend_is_libvirt () then
> > + ignore (Sys.command (sprintf "setfacl -m user:qemu:rwx %s" (quote d)));
> > On_exit.rmdir d;
> > d
> >
> >
>
> Not ideal -- yet another facility, in order to get around a security
> measure we put in place ourselves -- but it gets the job done...
Yup, I'm not especially happy with either solution. I might play
around with your idea above of setting permissions to qemu:root.
> Acked-by: Laszlo Ersek <[email protected]>
Thanks,
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
_______________________________________________
Libguestfs mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/libguestfs
