[libvirt] Possible security hole? unprivileged user can use virsh to overwrite sensitive system file
Hong Xiang
hxiang at linux.vnet.ibm.com
Thu Oct 13 03:56:14 UTC 2011
It turned out that in my environment the user 'hxiang' I was testing
with is in group 'desktop_admin_r' and PolicyKit takes all users in that
group as administrators. That's why I could connect without authentication.
Sorry for the false alarm.
On 10/12/2011 04:22 PM, Daniel P. Berrange wrote:
> On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
>> I found there's a way for a unprivileged user to overwrite sensitive
>> system file with virsh, here's how:
>> 1. (as an unprivileged user) start virsh and connect to the r/w
>> socket of libvirtd:
>> virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
>
> Unless you have turned off authentication, this requires you to provide
> your root password via PolicyKit. Thus you can no longer be considered
> an 'unprivileged' user after this point.
>
>> 2. start a guest, then issue 'save' or 'dump' command, giving a
>> sensitive system file path as the<file> parameter, for example,
>> '/etc/passwd';
>> 3. the sensitive system file will be overwritten;
>
> There's no security hole. If you have successfully authenticated to the
> privileged libvirtd daemon over the read-write socket, then you are
> considered to have a privilege level equivalent to a root shell.
>
> Regards,
> Daniel
--
Thanks.
Hong Xiang
More information about the libvir-list
mailing list