[libvirt] [PATCH 13/14] Block all use of libvirt.so in setuid programs
Eric Blake
eblake at redhat.com
Mon Dec 23 23:10:02 UTC 2013
On 10/21/2013 07:12 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> Avoid people introducing security flaws in their apps by
> forbidding the use of libvirt.so in setuid programs, with
> a check in virInitialize.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> src/libvirt.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/src/libvirt.c b/src/libvirt.c
> index 96d8fdc..d76e537 100644
> --- a/src/libvirt.c
> +++ b/src/libvirt.c
> @@ -409,6 +409,14 @@ virGlobalInit(void)
> virErrorInitialize() < 0)
> goto error;
>
> +#ifndef IN_VIRT_LOGIN_SHELL
Oops. This spelling is from an earlier version of your patch series.
But in the version you committed, patch 4/14 (commit 3e2f27e1) named it
the more generic LIBVIRT_SETUID_RPC_CLIENT. Which means
IN_VIRT_LOGIN_SHELL is never defined,...
> + if (virIsSUID()) {
...so virt-login-shell happily reports that it is setuid...
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("libvirt.so is not safe to use from setuid programs"));
...and we have killed it. Two separate killers in our CVE fix - not a
good track record on testing things ;(
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20131223/8e8918c9/attachment-0001.sig>
More information about the libvir-list
mailing list