control: severity -1 wishlist control: tag -1 -patch Hi Christian, On Thu, May 11, 2017 at 04:05:48PM +0200, Christian Ehrhardt wrote: > Package: libvirt > Version: 3.0.0-4 > Severity: normal > > Hi libvirt Maintainers, > > This change is about further limiting the potential fallout if a guest can > break into the dnsmasq it can reach - there currently running as nobody it > can reach other "nobodies". The preferred solution is to run it as a > service-specific system user. In this case, because there may be multiple > dnsmasq daemons running, a separate libvirt-dnsmasq user (the dnsmasq > package itself runs the dnsmasq daemon under a system user called > unsurprisingly 'dnsmasq').
Not using nobody makes sense but… [..snip..] > + if ! getent passwd libvirt-dnsmasq >/dev/null; then > + adduser --quiet \ > + --system \ > + --ingroup libvirt \ …adding it to the libvirt group gives it root like privileges since it might get _full_ access to the libvirt daemon (it's the group used for polkit and the default group in /etc/libvirt/libvirtd.conf for socket based write access). This is a weakening of the current security model. > + --disabled-login \ > + --disabled-password \ > + --home /var/lib/libvirt/dnsmasq \ > + --no-create-home \ > + --gecos "Libvirt Dnsmasq" \ > + libvirt-dnsmasq > + fi > } Since the user does not own any files it should be removed on purge. > > > diff --git a/debian/patches/dnsmasq-as-priv-user > b/debian/patches/dnsmasq-as-priv-user > new file mode 100644 > index 0000000..23bfde0 > --- /dev/null > +++ b/debian/patches/dnsmasq-as-priv-user > @@ -0,0 +1,215 @@ > +Title: Run DNSMASQ as libvirt-dnsmasq user > +DEP: 3 > +Date: 2012-03-02 > +Drivers: Serge Hallyn > +URL: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/938255 > +Abstract: > + Generally it's bad form from a security perspective to run daemons as user > + nobody because a vulnerability in one daemon will possibly allow it, when > + compromised, to interfere with another daemon that is also running as > nobody. > + The preferred solution is to run it as a service-specific system user. In > this > + case, because there may be multiple dnsmasq daemons running, a separate > + libvirt-dnsmasq user (the dnsmasq package itself runs the dnsmasq daemon > under > + a system user called unsurprisingly 'dnsmasq'). > +--- a/src/network/bridge_driver.c > ++++ b/src/network/bridge_driver.c > +@@ -1075,7 +1075,8 @@ > + "## virsh net-edit %s\n" > + "## or other application using the libvirt API.\n" > + "##\n## dnsmasq conf file created by libvirt\n" > +- "strict-order\n", > ++ "strict-order\n" > ++ "user=libvirt-dnsmasq\n", > + network->def->name); This should be brought up upstream since (if correctly implemented) it's useful and… > + > + /* if dns is disabled, set its listening port to 0, which > +--- a/tests/networkxml2confdata/dhcp6host-routed-network.conf > ++++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr1 > +--- a/tests/networkxml2confdata/dhcp6-nat-network.conf > ++++ b/tests/networkxml2confdata/dhcp6-nat-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr0 > +--- a/tests/networkxml2confdata/dhcp6-network.conf > ++++ b/tests/networkxml2confdata/dhcp6-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + domain=mynet > + expand-hosts > + except-interface=lo > +--- a/tests/networkxml2confdata/isolated-network.conf > ++++ b/tests/networkxml2confdata/isolated-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-interfaces > + listen-address=192.168.152.1 > +--- a/tests/networkxml2confdata/nat-network.conf > ++++ b/tests/networkxml2confdata/nat-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr0 > +--- a/tests/networkxml2confdata/nat-network-dns-forwarders.conf > ++++ b/tests/networkxml2confdata/nat-network-dns-forwarders.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + no-resolv > + server=8.8.8.8 > + server=8.8.4.4 > +--- a/tests/networkxml2confdata/nat-network-dns-forward-plain.conf > ++++ b/tests/networkxml2confdata/nat-network-dns-forward-plain.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr0 > +--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf > ++++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + domain=example.com > + expand-hosts > + domain-needed > +--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf > ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr0 > +--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf > ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-interfaces > + listen-address=192.168.122.1 > +--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf > ++++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr0 > +--- a/tests/networkxml2confdata/netboot-network.conf > ++++ b/tests/networkxml2confdata/netboot-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + domain=example.com > + expand-hosts > + except-interface=lo > +--- a/tests/networkxml2confdata/netboot-proxy-network.conf > ++++ b/tests/networkxml2confdata/netboot-proxy-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + domain=example.com > + expand-hosts > + except-interface=lo > +--- a/tests/networkxml2confdata/routed-network.conf > ++++ b/tests/networkxml2confdata/routed-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr1 > +--- a/tests/networkxml2confdata/nat-network-dns-local-domain.conf > ++++ b/tests/networkxml2confdata/nat-network-dns-local-domain.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + local=/example.com/ > + domain=example.com > + expand-hosts > +--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf > ++++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-interfaces > + listen-address=192.168.122.1 > +--- a/tests/networkxml2confdata/open-network.conf > ++++ b/tests/networkxml2confdata/open-network.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + except-interface=lo > + bind-dynamic > + interface=virbr1 > +--- a/tests/networkxml2confdata/ptr-domains-auto.conf > ++++ b/tests/networkxml2confdata/ptr-domains-auto.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + local=/122.168.192.in-addr.arpa/ > + local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ > + except-interface=lo > +--- a/tests/networkxml2confdata/routed-network-no-dns.conf > ++++ b/tests/networkxml2confdata/routed-network-no-dns.conf > +@@ -5,6 +5,7 @@ > + ## > + ## dnsmasq conf file created by libvirt > + strict-order > ++user=libvirt-dnsmasq > + port=0 > + except-interface=lo > + bind-dynamic This is not maintainable. Please use correct severities for bugs. Cheers, -- Guido
