[libvirt] improve security by adjusting the privileges of libvirtd processes
Neal Gompa
ngompa13 at gmail.com
Wed Nov 18 02:21:07 UTC 2020
On Mon, Nov 16, 2020 at 7:12 AM yebiaoxiang <yebiaoxiang at huawei.com> wrote:
>
> Hi Team
>
> The daemon libvirtd runs as root user, which against the least privilege
> security model.
>
> root 567642 1.2 0.0 2856020 47576 ? Ssl 15:49 0:02 /usr/sbin/libvirtd --listen
>
> In addition, the "--listen" parameter exposes TCP or TLS ports on the network,
> it increasing the attack surface.
>
> tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN 647824/libvirtd
> tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 647824/libvirtd
>
> I have the following puzzles:
> 1. Whether root is the least privilege required for libvirtd to manage
> virtualization platforms, it's possible to run libvirtd as a non-root user?
>
> 2. Is there any plan to resolve this security weaknesses?
> (like move the function of "--listen" to an independent non-root process,
> or other better schemes)
While generally this is a good idea (and libvirt has been splitting
out functionality into separate daemons for improving security around
the service in general), I'm wondering if you looked at what libvirt
is supposed to do and how it works today.
Note that at least on reasonable distribution configurations,
"--listen" is no longer used by default (at least not for a couple of
years now), and even in socket-activated mode, listening on IP sockets
(TCP/TLS) requires some configuration before it works. At least out of
the box, it crashes with a not-configured error. So some interaction
is required to configure and activate that mode.
While it is possible to run libvirtd as a non-root user, it's quite
annoying to do so and requires sufficient amount of hoop-jumping
(granting access to KVM socket, ensuring it has ability to bind to
ports, configuring network, etc.) that it's easier to run it as root
and then impose rules to effectively deprivilege it by other means
(SELinux, daemon separation, etc.).
Unless you're running a version of libvirt from before 2018, I think
that your concerns are fairly well resolved.
P.S.: Your Cc for your colleagues was malformed. I fixed it in my reply.
--
真実はいつも一つ!/ Always, there's only one truth!
More information about the libvir-list
mailing list