[libvirt PATCH] remote: use SocketMode=0600 when polkit is not compiled

Daniel P. Berrangé berrange at redhat.com
Thu Sep 3 14:39:24 UTC 2020


On Thu, Sep 03, 2020 at 04:22:39PM +0200, Ján Tomko wrote:
> On a Wednesday in 2020, Daniel P. Berrangé wrote:
> > The systemd .socket unit files we ship for libvirt daemons use
> > SocketMode=0666 on the assumption that libvirt is built with
> > polkit which provides access control.
> > 
> > Some people, however, may have explicitly turned off polkit at
> > build time and not realize that leaves them insecure unless
> > they also change the SocketMode.  This addresses that problem
> > by making the SocketMode default to 0600 when polkit is
> > disabled at compile time.
> > 
> > Note we cannot automatically fix the case where the user
> > compiles polkit, but then overrides the libvirtd.conf defaults
> > to disable polkit. This is what lead to CVE-2020-15708 in
> > Ubuntu 20.10.  We can at least improve the inline comments
> > in the config file to give a clearer warning though, which
> > may have helped avoid the mistaken config.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> > ---
> > src/meson.build               | 11 ++++++++++
> > src/remote/libvirtd.conf.in   | 40 ++++++++++++++++++++++++++---------
> > src/remote/libvirtd.socket.in |  2 +-
> > 3 files changed, 42 insertions(+), 11 deletions(-)
> > 
> > diff --git a/src/meson.build b/src/meson.build
> > index 5d8deaf548..897b5ecbca 100644
> > --- a/src/meson.build
> > +++ b/src/meson.build
> > @@ -713,6 +713,12 @@ foreach data : virt_daemon_confs
> >   daemon_conf.set('DAEMON_NAME_UC', name_uc)
> >   # to silence meson warning about missing 'CONFIG' in the configuration_data
> >   daemon_conf.set('CONFIG', '@CONFIG@')
> > +  if conf.has('WITH_POLKIT')
> > +    daemon_conf.set('default_auth', 'polkit')
> > +  else
> > +    daemon_conf.set('default_auth', 'none')
> > +  endif
> > +
> > 
> >   if data.get('with_ip', false)
> >     conf_in = libvirtd_conf_tmp
> > @@ -792,6 +798,11 @@ if conf.has('WITH_LIBVIRTD')
> >       unit_conf.set('service', unit['service'])
> >       unit_conf.set('sockprefix', unit['sockprefix'])
> >       unit_conf.set('deps', unit.get('deps', ''))
> > +      if conf.has('WITH_POLKIT')
> > +        unit_conf.set('mode', '0666')
> > +      else
> > +        unit_conf.set('mode', '0600')
> > +      endif
> > 
> >       configure_file(
> >         input: unit['service_in'],
> > diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
> > index 2607fbad86..ae6207bf54 100644
> > --- a/src/remote/libvirtd.conf.in
> > +++ b/src/remote/libvirtd.conf.in
> > @@ -127,6 +127,8 @@
> > #
> > # Authentication.
> > #
> > +# There are the following choices available:
> > +#
> > #  - none: do not perform auth checks. If you can connect to the
> > #          socket you are allowed. This is suitable if there are
> > #          restrictions on connecting to the socket (eg, UNIX
> > @@ -144,21 +146,39 @@
> > #            full read/write access (aka sudo like), while anyone
> > #            is allowed read/only access.
> > #
> > +
> > # Set an authentication scheme for UNIX read-only sockets
> > +#
> > # By default socket permissions allow anyone to connect
> > #
> > -# To restrict monitoring of domains you may wish to enable
> > -# an authentication mechanism here
> > -#auth_unix_ro = "none"
> > +# If libvirt was compiled without support for 'polkit', then
> > +# no access control checks are done, but libvirt still only
> > +# allows execution of APIs which don't change state.
> > +#
> > +# If libvirt was compiled with support for 'polkit', then
> > +# the libvirt socket will perform a check with polkit after
> > +# connections. The default policy still allows any local
> > +# user access.
> > +#
> > +# To restrict monitoring of domains you may wish to either
> > +# enable 'sasl' here, or change the polkit policy definition.
> > +#auth_unix_ro = "@default_auth@"
> > 
> 
> This change affects the augeas tests which will need some special
> treatment:
> https://gitlab.com/libvirt/libvirt/-/jobs/717784534#L2306

Urgh, I wasn't paying attention to CI since it was already broken
for other jobs.  I'll post a fix soon.



Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




More information about the libvir-list mailing list