Control: tags -1 upstream fixed-upstream On Wed, Nov 05, 2025 at 06:19:39PM +0100, Sylvain Beucler wrote: > When creating snapshots for shut-down VMs, using virt-manager or virsh, > e.g.: > virsh snapshot-create-as --domain bookworm-oldstable --name snap1 > --disk-only --diskspec > vda,snapshot=external,file=/var/lib/libvirt/images/myvm.snap1 > > then the snapshot is world-readable (644): > # ls -lh /var/lib/libvirt/images/bookworm-oldstable.snap1 > -rw-r--r-- 1 root root 193K 5 nov. 17:40 > /var/lib/libvirt/images/myvm.snap1 > > by any user: > # su - nobody -s /bin/sh -c 'hd -n 8 /var/lib/libvirt/images/myvm.snap1' > 00000000 51 46 49 fb 00 00 00 03 |QFI.....| > > (This doesn't happen for running VMs where permission is correctly 600.) > > Such snapshots also stay world-readable after running the VM, allowing all > local users to access the new data, which is a grave data leak.
Thanks for the report. A fix has been merged upstream today: commit a379327d8abcde8ac8d3e16fe5e4ba6f790d767a Author: Peter Krempa <[email protected]> Date: Wed Nov 12 17:52:05 2025 +0100 qemu: snapshot: Set umask for 'qemu-img' when creating external inactive snapshots External inactive snapshots are created by invoking 'qemu-img' which creates the file. Currently qemu-img creates image with mode 644 based on default umask as libvirt doesn't set any. Having a world-readable image is obviously wrong so set the umask to 077 to have the file readable only by the owner. Resolves: https://bugs.debian.org/1120119 Signed-off-by: Peter Krempa <[email protected]> https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a I will prepare a backport within a few days. -- Andrea Bolognani <[email protected]> Resistance is futile, you will be garbage collected.
signature.asc
Description: PGP signature
