Package: libvirt Version: 3.0.0-4 Severity: normal Hi libvirt Maintainers,
This change is about further limiting the potential fallout if a guest can break into the dnsmasq it can reach - there currently running as nobody it can reach other "nobodies". The preferred solution is to run it as a service-specific system user. In this case, because there may be multiple dnsmasq daemons running, a separate libvirt-dnsmasq user (the dnsmasq package itself runs the dnsmasq daemon under a system user called unsurprisingly 'dnsmasq'). I was updating the old contribution of Serge to match latest Debian and newer libvirt. I also ran several test builds on various architectures to ensure nothing breaks in this that I'd miss. Also this is another patch we have carried in Ubuntu for a while - so it should be considered somewhat safe and tested, and I think it will certainly benefit Debian as well. P.S. I was thinking on reusing the dnsmasq user that is added by dnsmasq package itself, but then since the original suggestion to intentionally make it a libvirt-dnsmasq I punted that for now. Yet OTOH it would allow to not have to take the user add snippet in the postinst - I'd leave it up to you if you prefere the dnsmasq user of the package or the more specific libvirt-dnsmasq user. -- Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
From 556231704592560192280b5d2cfc1b623296fcef Mon Sep 17 00:00:00 2001 From: Serge Hallyn <[email protected]> Date: Wed, 14 Dec 2016 12:30:17 +0100 Subject: [PATCH] security: run dnsmasq as libvirt-dnsmasq user Generally it's bad form from a security perspective to run daemons as user nobody because a vulnerability in one daemon will possibly allow it, when compromised, to interfere with another daemon that is also running as nobody. The preferred solution is to run it as a service-specific system user. In this case, because there may be multiple dnsmasq daemons running, a separate libvirt-dnsmasq user (the dnsmasq package itself runs the dnsmasq daemon under a system user called unsurprisingly 'dnsmasq'). So this change does: - add a libvirt-dnsmasq user - set the user libvirt executes dnsmasq on to livirt-dnsmasq - adapts expected results of autotest testcases Update in v2 by Christian Ehrhardt - remove ubuntu names in patch name for Debian submission - fix newer testcases expected results so that it works on recent libvirt versions Signed-off-by: Christian Ehrhardt <[email protected]> --- debian/libvirt-daemon-system.postinst | 11 ++ debian/patches/dnsmasq-as-priv-user | 215 ++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 227 insertions(+) create mode 100644 debian/patches/dnsmasq-as-priv-user diff --git a/debian/libvirt-daemon-system.postinst b/debian/libvirt-daemon-system.postinst index b2e289c..a7e7c9c 100644 --- a/debian/libvirt-daemon-system.postinst +++ b/debian/libvirt-daemon-system.postinst @@ -65,6 +65,17 @@ add_users_groups() addgroup --quiet --system $PARAMETER_GID libvirt-qemu adduser --quiet libvirt-qemu libvirt-qemu fi + if ! getent passwd libvirt-dnsmasq >/dev/null; then + adduser --quiet \ + --system \ + --ingroup libvirt \ + --disabled-login \ + --disabled-password \ + --home /var/lib/libvirt/dnsmasq \ + --no-create-home \ + --gecos "Libvirt Dnsmasq" \ + libvirt-dnsmasq + fi } diff --git a/debian/patches/dnsmasq-as-priv-user b/debian/patches/dnsmasq-as-priv-user new file mode 100644 index 0000000..23bfde0 --- /dev/null +++ b/debian/patches/dnsmasq-as-priv-user @@ -0,0 +1,215 @@ +Title: Run DNSMASQ as libvirt-dnsmasq user +DEP: 3 +Date: 2012-03-02 +Drivers: Serge Hallyn +URL: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/938255 +Abstract: + Generally it's bad form from a security perspective to run daemons as user + nobody because a vulnerability in one daemon will possibly allow it, when + compromised, to interfere with another daemon that is also running as nobody. + The preferred solution is to run it as a service-specific system user. In this + case, because there may be multiple dnsmasq daemons running, a separate + libvirt-dnsmasq user (the dnsmasq package itself runs the dnsmasq daemon under + a system user called unsurprisingly 'dnsmasq'). +--- a/src/network/bridge_driver.c ++++ b/src/network/bridge_driver.c +@@ -1075,7 +1075,8 @@ + "## virsh net-edit %s\n" + "## or other application using the libvirt API.\n" + "##\n## dnsmasq conf file created by libvirt\n" +- "strict-order\n", ++ "strict-order\n" ++ "user=libvirt-dnsmasq\n", + network->def->name); + + /* if dns is disabled, set its listening port to 0, which +--- a/tests/networkxml2confdata/dhcp6host-routed-network.conf ++++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/dhcp6-nat-network.conf ++++ b/tests/networkxml2confdata/dhcp6-nat-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/dhcp6-network.conf ++++ b/tests/networkxml2confdata/dhcp6-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=mynet + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/isolated-network.conf ++++ b/tests/networkxml2confdata/isolated-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-interfaces + listen-address=192.168.152.1 +--- a/tests/networkxml2confdata/nat-network.conf ++++ b/tests/networkxml2confdata/nat-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-forwarders.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forwarders.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + no-resolv + server=8.8.8.8 + server=8.8.4.4 +--- a/tests/networkxml2confdata/nat-network-dns-forward-plain.conf ++++ b/tests/networkxml2confdata/nat-network-dns-forward-plain.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf ++++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + domain-needed +--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-interfaces + listen-address=192.168.122.1 +--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf ++++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr0 +--- a/tests/networkxml2confdata/netboot-network.conf ++++ b/tests/networkxml2confdata/netboot-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/netboot-proxy-network.conf ++++ b/tests/networkxml2confdata/netboot-proxy-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + domain=example.com + expand-hosts + except-interface=lo +--- a/tests/networkxml2confdata/routed-network.conf ++++ b/tests/networkxml2confdata/routed-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/nat-network-dns-local-domain.conf ++++ b/tests/networkxml2confdata/nat-network-dns-local-domain.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + local=/example.com/ + domain=example.com + expand-hosts +--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf ++++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-interfaces + listen-address=192.168.122.1 +--- a/tests/networkxml2confdata/open-network.conf ++++ b/tests/networkxml2confdata/open-network.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + except-interface=lo + bind-dynamic + interface=virbr1 +--- a/tests/networkxml2confdata/ptr-domains-auto.conf ++++ b/tests/networkxml2confdata/ptr-domains-auto.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + local=/122.168.192.in-addr.arpa/ + local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ + except-interface=lo +--- a/tests/networkxml2confdata/routed-network-no-dns.conf ++++ b/tests/networkxml2confdata/routed-network-no-dns.conf +@@ -5,6 +5,7 @@ + ## + ## dnsmasq conf file created by libvirt + strict-order ++user=libvirt-dnsmasq + port=0 + except-interface=lo + bind-dynamic diff --git a/debian/patches/series b/debian/patches/series index e2166ce..102717e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -18,3 +18,4 @@ Pass-GPG_TTY-env-var-to-the-ssh-binary.patch openpty-Skip-test-if-no-pty-is-available.patch test-posix_openpt-don-t-fail-on-EACCESS.patch debian/Debianize-virtlogd.patch +dnsmasq-as-priv-user -- 2.7.4
