[libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file
Hong Xiang
hxiang at linux.vnet.ibm.com
Wed Oct 12 03:57:25 UTC 2011
I found there's a way for a unprivileged user to overwrite sensitive
system file with virsh, here's how:
1. (as an unprivileged user) start virsh and connect to the r/w socket
of libvirtd:
virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
2. start a guest, then issue 'save' or 'dump' command, giving a
sensitive system file path as the <file> parameter, for example,
'/etc/passwd';
3. the sensitive system file will be overwritten;
Attached is a test log. I'm using libvirt-0.8.7 on a OpenClient for RHEL
6.1. And latest libvirt code shows the same symptom.
BTW, virsh expands the <file> parameter in step to an absolute path if
user-provided is not, and libvirtd interprets it as a local file. IMHO
it does not look quite right, especially when the virsh-to-libvirtd
connection is remote.
--
Thanks.
Hong Xiang
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log.txt
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20111012/960a6016/attachment-0001.txt>
More information about the libvir-list
mailing list