It turned out that in my environment the user 'hxiang' I was testing
with is in group 'desktop_admin_r' and PolicyKit takes all users in that
group as administrators. That's why I could connect without authentication.
Sorry for the false alarm.
On 10/12/2011 04:22 PM, Daniel P. Berrange wrote:
On Wed, Oct 12, 2011 at 11:57:25AM +0800, Hong Xiang wrote:
I found there's a way for a unprivileged user to overwrite sensitive
system file with virsh, here's how:
1. (as an unprivileged user) start virsh and connect to the r/w
socket of libvirtd:
virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Unless you have turned off authentication, this requires you to provide
your root password via PolicyKit. Thus you can no longer be considered
an 'unprivileged' user after this point.
2. start a guest, then issue 'save' or 'dump' command, giving a
sensitive system file path as the<file> parameter, for example,
'/etc/passwd';
3. the sensitive system file will be overwritten;
There's no security hole. If you have successfully authenticated to the
privileged libvirtd daemon over the read-write socket, then you are
considered to have a privilege level equivalent to a root shell.
Regards,
Daniel
--
Thanks.
Hong Xiang
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
