[Bug 1892757] [NEW] System libvirt-dbus broken after changing libvirtd.socket SocketMode to 0660

Mon, 24 Aug 2020 08:55:46 -0700 

Public bug reported:


Recently a security issue was fixed by setting libvirt's socket permissions to 
0660. See 
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-15708.html

This completely breaks libvirt-dbus system connection.

root@ubuntu:~# gdbus call --system --dest org.libvirt --object-path 
/org/libvirt/QEMU --method org.libvirt.Connect.ListDomains 0
Error: GDBus.Error:org.libvirt.Error: Failed to connect socket to 
'/var/run/libvirt/libvirt-sock': Permission denied

That is because libvirt-sock by default allows rw access to users that are in 
the libvirt group.
 
root@ubuntu:~# ls -la /var/run/libvirt/libvirt-sock
srw-rw---- 1 root libvirt 0 Aug 24 15:33 /var/run/libvirt/libvirt-sock

However libvirt-dbus system process is running as libvirtdbus/libvirtdbus 
user/group.
 
root@ubuntu:~# ps aux | grep libvirt-dbus 
\libvirt+    6813  0.0  1.6 363436 18892 ?        Sl   15:33   0:00 
/usr/sbin/libvirt-dbus --system
root        7207  0.0  0.0   8164   672 pts/0    S+   15:35   0:00 grep 
--color=auto libvirt-dbus

root@ubuntu:~# cat /proc/6813/status | grep Uid
Uid:    996     996     996     996

root@ubuntu:~# cat /proc/6813/status | grep Gid
Gid:    996     996     996     996

root@ubuntu:~# cat /etc/group | grep 996
libvirtdbus:x:996:

root@ubuntu:~# id libvirtdbus
uid=996(libvirtdbus) gid=996(libvirtdbus) groups=996(libvirtdbus)

And that user/group combination can't talk to the libvirtd.socket.

I fixed it on my system, by usermod -a -G libvirt libvirtdbus. I would
expect some documented solution, if not a fix.

root@ubuntu:~# dpkg-query --show libvirt-dbus
libvirt-dbus    1.3.0-1
root@ubuntu:~# dpkg-query --show libvirt-daemon
libvirt-daemon  6.0.0-0ubuntu8.3

Ubuntu VERSION="20.04.1 LTS (Focal Fossa)"

** Affects: libvirt-dbus (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892757

Title:
  System libvirt-dbus broken after changing libvirtd.socket SocketMode
  to 0660

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt-dbus/+bug/1892757/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to