[Libguestfs] [PATCH v2v] lib: Use an ACL to allow qemu to access the v2v directory
Laszlo Ersek
lersek at redhat.com
Tue Mar 22 16:10:07 UTC 2022
On 03/22/22 15:35, Richard W.M. Jones wrote:
> When using the libvirt backend and running as root, libvirt will run
> qemu as a non-root user (eg. qemu:qemu). The v2v directory stores NBD
> endpoints that qemu must be able to open and so we set the directory
> to mode 0711. Unfortunately this permits any non-root user to open
> the sockets (since, by design, they have predictable names within the
> directory).
Are the NBD socket pathnames visible on the QEMU command line ("ps -ef"
or "ps auxwww")?
If not, then the issue could be prevented by inserting a directory with
a hard-to-guess name in the middle (e.g. one named by uuidgen).
>
> So instead of using directory permissions, use an ACL which allows us
> to precisely give access to the qemu user and no one else.
If we may assume the "qemu" user name (and we're root), we can just give
qemu:root ownership to the directory, and file mode bits 0700. The qemu
user will have access, and v2v (running as root) will not be hindered by
a theoretical lack of access rights.
>
> Reported-by: Xiaodai Wang
> Thanks: Dr David Gilbert
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2066773
> ---
> lib/utils.ml | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/lib/utils.ml b/lib/utils.ml
> index 757bc73c8e..5623250832 100644
> --- a/lib/utils.ml
> +++ b/lib/utils.ml
> @@ -158,8 +158,12 @@ let error_if_no_ssh_agent () =
> (* Create the directory containing inX and outX sockets. *)
> let create_v2v_directory () =
> let d = Mkdtemp.temp_dir "v2v." in
> + (* If running as root, and if the backend is libvirt, libvirt
> + * will run qemu as a non-root user. Allow qemu to open the directory.
> + *)
> let running_as_root = Unix.geteuid () = 0 in
> - if running_as_root then Unix.chmod d 0o711;
> + if running_as_root && backend_is_libvirt () then
> + ignore (Sys.command (sprintf "setfacl -m user:qemu:rwx %s" (quote d)));
> On_exit.rmdir d;
> d
>
>
Not ideal -- yet another facility, in order to get around a security
measure we put in place ourselves -- but it gets the job done...
Acked-by: Laszlo Ersek <lersek at redhat.com>
More information about the Libguestfs
mailing list