On Thu, Jul 14, 2011 at 11:37 AM, Andrew Griffiths <807...@bugs.launchpad.net> wrote: > Regarding the threads having different privilege level, I have isolated > that to being related to my grsecurity configuration (more specifically, > chroot_findtask will block it). > > While it's still an issue on older glibc where the setuid/setgid code > does not enforce it across all threads, it may not be high priority > since fixing it would be a lot more effort.
Wow, just learnt something new that glibc does behind our backs :). I see it uses SIGRTMIN+1 to signal threads and get them to do the set*id system calls. I'm glad it does this because although most QEMU threads should be started after command-line parsing, I can think of instances where we might start a thread before -runas is completed. Stefan -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/807893 Title: qemu privilege escalation Status in QEMU: Confirmed Bug description: If qemu is started as root, with -runas, the extra groups is not dropped correctly /proc/`pidof qemu`/status .. Uid: 100 100 100 100 Gid: 100 100 100 100 FDSize: 32 Groups: 0 1 2 3 4 6 10 11 26 27 ... The fix is to add initgroups() or setgroups(1, [gid]) where appropriate to os-posix.c. The extra gid's allow read or write access to other files (such as /dev etc). Emulating the qemu code: # python ... >>> import os >>> os.setgid(100) >>> os.setuid(100) >>> os.execve("/bin/sh", [ "/bin/sh" ], os.environ) sh-4.1$ xxd /dev/sda | head -n2 0000000: eb48 9000 0000 0000 0000 0000 0000 0000 .H.............. 0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ sh-4.1$ ls -l /dev/sda brw-rw---- 1 root disk 8, 0 Jul 8 11:54 /dev/sda sh-4.1$ id uid=100(qemu00) gid=100(users) groups=100(users),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/807893/+subscriptions
