I'll answer my own question, from nova/virt/libvirt/connection.py: def get_pty_for_instance(instance_name): virt_dom = self._lookup_by_name(instance_name) xml = virt_dom.XMLDesc(0) dom = minidom.parseString(xml)
for serial in dom.getElementsByTagName('serial'): if serial.getAttribute('type') == 'pty': source = serial.getElementsByTagName('source')[0] return source.getAttribute('path') port = get_open_port() token = str(uuid.uuid4()) host = instance['host'] ajaxterm_cmd = 'sudo socat - %s' \ % get_pty_for_instance(instance['name']) cmd = ['ajaxterm', '--command', ajaxterm_cmd, '-t', token, '-p', port, '-T', '300'] utils.execute(cmd) I think this could potentially be replaced with netcat as it looks like netcat provides equivalent args. I'm not sure why we are using '-t <token>' with socat since '-t' is a timeout value.... socat is being invoked as root by nova here, and the socat code is fairly crufty (see my review below) so this is not desirable. On my non-nova qemu-kvm VMs, I see that the pty is owned by the unprivileged libvirt-qemu: $ ls -l /dev/pts/5 crw--w---- 1 libvirt-qemu tty 136, 5 2011-09-21 10:29 /dev/pts/5 I can say that while the code is running as root, the arguments passed to socat do not seem to be under attacker control and utils.execute() is not generally susceptible to shell injection on this host, so that is good. However, combined with ajaxterm, it does look like if someone is somehow able to adjust the output of the get_pty_for_instance() command, then shell injection the arguments to socat could be adjusted for arbitrary code execution (since it supports scripting). Fiddling with libvirt and defining some bad XML, I was not able to subvert libvirt into accepting bad input, but I also didn't try very hard. Perhaps if sticking with socat these can be adjusted: - run socat with least privilege (keep in mind that libvirt can be configured to run VMs as root, and I haven't looked at LXC if that is relevant) - perform input validation on get_pty_for_instance() to defend against any bugs in libvirt -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to socat in Ubuntu. https://bugs.launchpad.net/bugs/829234 Title: [MIR] socat To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/socat/+bug/829234/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs