Re: [Xen-devel] [PATCH v3] run QEMU as non-root
On Fri, 29 May 2015, Ian Campbell wrote:
> On Fri, 2015-05-29 at 14:47 +0100, Stefano Stabellini wrote:
> > Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" +
> > domid, finally "xen-qemudepriv-shared" and root if everything else fails.
> >
> > The uids need to be manually created by the user or, more likely, by the
> > xen package maintainer.
> >
> > To actually secure QEMU when running in Dom0, we need at least to
> > deprivilege the privcmd and xenstore interfaces, this is just the first
> > step in that direction.
> >
> > Signed-off-by: Stefano Stabellini
> >
> > ---
> > Changes in v3:
> > - clarify doc
> > - handle errno == ERANGE
> > ---
> > docs/misc/qemu-deprivilege | 36 +
> > tools/libxl/libxl_dm.c | 60
> > ++
> > tools/libxl/libxl_internal.h |4 +++
> > 3 files changed, 100 insertions(+)
> > create mode 100644 docs/misc/qemu-deprivilege
> >
> > diff --git a/docs/misc/qemu-deprivilege b/docs/misc/qemu-deprivilege
> > new file mode 100644
> > index 000..3a61867
> > --- /dev/null
> > +++ b/docs/misc/qemu-deprivilege
>
> Could you name this with a .txt or even a .markdown or .pandoc please.
>
> I think you should also add a reference to this to the toplevel INSTALL
> file, so there is some hope of someone seeing it.
Good idea
> And I presume you will update the relevant wikipages (e.g. the
> installing from source one) once this change lands?
Yes, I will.
> > +2) a user named "xen-qemudepriv-base", adding domid to its uid
> > +This requires the reservation of 65536 uids from the uid of
> > +xen-qemudepriv-base to uid+65535. For example, if xen-qemudepriv-base
> > +has uid 6000, and the domid is 25, libxl will try to use uid 6025. To
> > +use this mechanism, you might want to create a large number of users at
> > +installation time. For example:
> > +
> > +adduser --system xen-qemudepriv-base
> > +for i in '' $(seq 1 65335)
> > +do
> > +adduser --system xen-qemudepriv-base$i
> > +done
>
> I'm not sure that adduser is necessarily guaranteed to create users
> sequentially, even if it might do so most of the time. Did you check
> this?
>
> Perhaps rather than doing base + domid we should just lookup the user
> xen-qemudepriv-domid and document creating a user for every domid?
> The advantage with that is we don't need to figure out how to document
> the creation of 65K _consecutive_ users.
That might be better actually
> > @@ -439,6 +441,9 @@ static char **
> > libxl__build_device_model_args_new(libxl__gc *gc,
> > int i, connection, devid;
> > uint64_t ram_size;
> > const char *path, *chardev;
> > +struct passwd pwd, *user = NULL;
> > +char *buf = NULL;
> > +long buf_size;
> >
> > dm_args = flexarray_make(gc, 16, 1);
> >
> > @@ -878,6 +883,61 @@ static char **
> > libxl__build_device_model_args_new(libxl__gc *gc,
> > default:
> > break;
> > }
> > +
> > +buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
> > +if (buf_size < 0) {
> > +LOGE(ERROR, "sysconf(_SC_GETPW_R_SIZE_MAX) returned error
> > %ld", buf_size);
> > +goto end_search;
> > +}
> > +errno = 0;
> > +
> > +retry:
> > +if (errno == ERANGE)
> > +buf_size += 512;
> > +buf = libxl__realloc(gc, buf, buf_size);
> > +if (c_info->name) {
> > +errno = 0;
> > +getpwnam_r(libxl__sprintf(gc, "%s-%s",
> > +LIBXL_QEMU_USER_PREFIX, c_info->name),
> > +&pwd, buf, buf_size, &user);
> > +if (user != NULL)
> > +goto end_search;
> > +if (errno == ERANGE)
> > +goto retry;
> > +}
> > +
> > +errno = 0;
> > +getpwnam_r(LIBXL_QEMU_USER_BASE, &pwd, buf, buf_size, &user);
> > +if (user != NULL) {
> > +errno = 0;
> > +getpwuid_r(user->pw_uid + guest_domid, &pwd, buf, buf_size,
> > &user);
> > +if (user != NULL)
> > +goto end_search;
> > +if (errno == ERANGE)
> > +goto retry;
> > +}
> > +if (errno == ERANGE)
> > +goto retry;
> > +
> > +errno = 0;
> > +getpwnam_r(LIBXL_QEMU_USER_SHARED, &pwd, buf, buf_size, &user);
> > +if (user != NULL) {
> > +LOG(WARN, "Could not find user %s-%s or user %s (+domid %d),
> > falling back to %s",
> > +LIBXL_QEMU_USER_PREFIX, c_info->name,
> > LIBXL_QEMU_USER_BASE,
> > +guest_domid, LIBXL_QEMU_USER_SHARED);
> > +goto end_search;
> > +}
> > +if (errno == ERANGE)
> > +goto retry;
>
> This is all rather repetitive, please add a helper which takes care of
> allocating the buffer, retrying and logging on fail.
>
> I don't think you need to worry about making all three attempts use the
> s
Re: [Xen-devel] [PATCH v3] run QEMU as non-root
On Fri, 2015-05-29 at 14:47 +0100, Stefano Stabellini wrote:
> Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" +
> domid, finally "xen-qemudepriv-shared" and root if everything else fails.
>
> The uids need to be manually created by the user or, more likely, by the
> xen package maintainer.
>
> To actually secure QEMU when running in Dom0, we need at least to
> deprivilege the privcmd and xenstore interfaces, this is just the first
> step in that direction.
>
> Signed-off-by: Stefano Stabellini
>
> ---
> Changes in v3:
> - clarify doc
> - handle errno == ERANGE
> ---
> docs/misc/qemu-deprivilege | 36 +
> tools/libxl/libxl_dm.c | 60
> ++
> tools/libxl/libxl_internal.h |4 +++
> 3 files changed, 100 insertions(+)
> create mode 100644 docs/misc/qemu-deprivilege
>
> diff --git a/docs/misc/qemu-deprivilege b/docs/misc/qemu-deprivilege
> new file mode 100644
> index 000..3a61867
> --- /dev/null
> +++ b/docs/misc/qemu-deprivilege
Could you name this with a .txt or even a .markdown or .pandoc please.
I think you should also add a reference to this to the toplevel INSTALL
file, so there is some hope of someone seeing it.
And I presume you will update the relevant wikipages (e.g. the
installing from source one) once this change lands?
> +2) a user named "xen-qemudepriv-base", adding domid to its uid
> +This requires the reservation of 65536 uids from the uid of
> +xen-qemudepriv-base to uid+65535. For example, if xen-qemudepriv-base
> +has uid 6000, and the domid is 25, libxl will try to use uid 6025. To
> +use this mechanism, you might want to create a large number of users at
> +installation time. For example:
> +
> +adduser --system xen-qemudepriv-base
> +for i in '' $(seq 1 65335)
> +do
> +adduser --system xen-qemudepriv-base$i
> +done
I'm not sure that adduser is necessarily guaranteed to create users
sequentially, even if it might do so most of the time. Did you check
this?
Perhaps rather than doing base + domid we should just lookup the user
xen-qemudepriv-domid and document creating a user for every domid?
The advantage with that is we don't need to figure out how to document
the creation of 65K _consecutive_ users.
> @@ -439,6 +441,9 @@ static char **
> libxl__build_device_model_args_new(libxl__gc *gc,
> int i, connection, devid;
> uint64_t ram_size;
> const char *path, *chardev;
> +struct passwd pwd, *user = NULL;
> +char *buf = NULL;
> +long buf_size;
>
> dm_args = flexarray_make(gc, 16, 1);
>
> @@ -878,6 +883,61 @@ static char **
> libxl__build_device_model_args_new(libxl__gc *gc,
> default:
> break;
> }
> +
> +buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
> +if (buf_size < 0) {
> +LOGE(ERROR, "sysconf(_SC_GETPW_R_SIZE_MAX) returned error %ld",
> buf_size);
> +goto end_search;
> +}
> +errno = 0;
> +
> +retry:
> +if (errno == ERANGE)
> +buf_size += 512;
> +buf = libxl__realloc(gc, buf, buf_size);
> +if (c_info->name) {
> +errno = 0;
> +getpwnam_r(libxl__sprintf(gc, "%s-%s",
> +LIBXL_QEMU_USER_PREFIX, c_info->name),
> +&pwd, buf, buf_size, &user);
> +if (user != NULL)
> +goto end_search;
> +if (errno == ERANGE)
> +goto retry;
> +}
> +
> +errno = 0;
> +getpwnam_r(LIBXL_QEMU_USER_BASE, &pwd, buf, buf_size, &user);
> +if (user != NULL) {
> +errno = 0;
> +getpwuid_r(user->pw_uid + guest_domid, &pwd, buf, buf_size,
> &user);
> +if (user != NULL)
> +goto end_search;
> +if (errno == ERANGE)
> +goto retry;
> +}
> +if (errno == ERANGE)
> +goto retry;
> +
> +errno = 0;
> +getpwnam_r(LIBXL_QEMU_USER_SHARED, &pwd, buf, buf_size, &user);
> +if (user != NULL) {
> +LOG(WARN, "Could not find user %s-%s or user %s (+domid %d),
> falling back to %s",
> +LIBXL_QEMU_USER_PREFIX, c_info->name,
> LIBXL_QEMU_USER_BASE,
> +guest_domid, LIBXL_QEMU_USER_SHARED);
> +goto end_search;
> +}
> +if (errno == ERANGE)
> +goto retry;
This is all rather repetitive, please add a helper which takes care of
allocating the buffer, retrying and logging on fail.
I don't think you need to worry about making all three attempts use the
same buffer, so the helper doesn't need to have the complexity of doing
that.
That would also let you avoid repeating all three searches when the last
one returns ERANGE.
> +
> +
> +LOG(WARN, "Could not find user %s, starting QEMU as root",
> LIBXL_QEMU_USER_SHARED);
> +
> +end_search:
> +if (user) {
> +flexarray_append(
[Xen-devel] [PATCH v3] run QEMU as non-root
Try to use "xen-qemudepriv-$domname" first, then "xen-qemudepriv-base" +
domid, finally "xen-qemudepriv-shared" and root if everything else fails.
The uids need to be manually created by the user or, more likely, by the
xen package maintainer.
To actually secure QEMU when running in Dom0, we need at least to
deprivilege the privcmd and xenstore interfaces, this is just the first
step in that direction.
Signed-off-by: Stefano Stabellini
---
Changes in v3:
- clarify doc
- handle errno == ERANGE
---
docs/misc/qemu-deprivilege | 36 +
tools/libxl/libxl_dm.c | 60 ++
tools/libxl/libxl_internal.h |4 +++
3 files changed, 100 insertions(+)
create mode 100644 docs/misc/qemu-deprivilege
diff --git a/docs/misc/qemu-deprivilege b/docs/misc/qemu-deprivilege
new file mode 100644
index 000..3a61867
--- /dev/null
+++ b/docs/misc/qemu-deprivilege
@@ -0,0 +1,36 @@
+For security reasons, libxl tries to create QEMU as non-root.
+Libxl looks for the following users in this order:
+
+1) a user named "xen-qemudepriv-$domname"
+Where $domname is the name of the domain being created.
+To use this, you just need to create a user with the appropriate name
+for each domain. For example, if your virtual machine is named "windows":
+
+adduser --system xen-qemudepriv-windows
+
+
+2) a user named "xen-qemudepriv-base", adding domid to its uid
+This requires the reservation of 65536 uids from the uid of
+xen-qemudepriv-base to uid+65535. For example, if xen-qemudepriv-base
+has uid 6000, and the domid is 25, libxl will try to use uid 6025. To
+use this mechanism, you might want to create a large number of users at
+installation time. For example:
+
+adduser --system xen-qemudepriv-base
+for i in '' $(seq 1 65335)
+do
+adduser --system xen-qemudepriv-base$i
+done
+
+
+3) a user named "xen-qemudepriv-shared"
+As a fall back if both 1) and 2) fail, libxl will use a single user for
+all QEMU instances. The user is named xen-qemudepriv-shared. This is
+less secure but still better than running QEMU as root. Using this is as
+simple as creating just one more user on your host:
+
+adduser --system xen-qemudepriv-shared
+
+
+4) root
+As a last resort, libxl will start QEMU as root.
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 0c6408d..97a921f 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -19,6 +19,8 @@
#include "libxl_internal.h"
#include
+#include
+#include
static const char *libxl_tapif_script(libxl__gc *gc)
{
@@ -439,6 +441,9 @@ static char ** libxl__build_device_model_args_new(libxl__gc
*gc,
int i, connection, devid;
uint64_t ram_size;
const char *path, *chardev;
+struct passwd pwd, *user = NULL;
+char *buf = NULL;
+long buf_size;
dm_args = flexarray_make(gc, 16, 1);
@@ -878,6 +883,61 @@ static char **
libxl__build_device_model_args_new(libxl__gc *gc,
default:
break;
}
+
+buf_size = sysconf(_SC_GETPW_R_SIZE_MAX);
+if (buf_size < 0) {
+LOGE(ERROR, "sysconf(_SC_GETPW_R_SIZE_MAX) returned error %ld",
buf_size);
+goto end_search;
+}
+errno = 0;
+
+retry:
+if (errno == ERANGE)
+buf_size += 512;
+buf = libxl__realloc(gc, buf, buf_size);
+if (c_info->name) {
+errno = 0;
+getpwnam_r(libxl__sprintf(gc, "%s-%s",
+LIBXL_QEMU_USER_PREFIX, c_info->name),
+&pwd, buf, buf_size, &user);
+if (user != NULL)
+goto end_search;
+if (errno == ERANGE)
+goto retry;
+}
+
+errno = 0;
+getpwnam_r(LIBXL_QEMU_USER_BASE, &pwd, buf, buf_size, &user);
+if (user != NULL) {
+errno = 0;
+getpwuid_r(user->pw_uid + guest_domid, &pwd, buf, buf_size, &user);
+if (user != NULL)
+goto end_search;
+if (errno == ERANGE)
+goto retry;
+}
+if (errno == ERANGE)
+goto retry;
+
+errno = 0;
+getpwnam_r(LIBXL_QEMU_USER_SHARED, &pwd, buf, buf_size, &user);
+if (user != NULL) {
+LOG(WARN, "Could not find user %s-%s or user %s (+domid %d),
falling back to %s",
+LIBXL_QEMU_USER_PREFIX, c_info->name, LIBXL_QEMU_USER_BASE,
+guest_domid, LIBXL_QEMU_USER_SHARED);
+goto end_search;
+}
+if (errno == ERANGE)
+goto retry;
+
+
+LOG(WARN, "Could not find user %s, starting QEMU as root",
LIBXL_QEMU_USER_SHARED);
+
+end_search:
+if (user) {
+flexarray_append(dm_args, "-runas");
+flexarray_append(dm_args, user->pw_name);
+}
}
flexarray_append(dm_args, NULL);
return (char **) flexarray_contents(dm_args);
diff --git a/tools/libxl/libxl_internal.h b/tools/lib
