Le 27/07/2015 15:29, Eric Blevins a écrit : > I have no idea if CVE-2015-5154 that Stephan inquired about affests Proxmox. > > But when I see exploits like that the first thought in my mind is how > easy it would be for such an exploit to get root on the Proxmox host. > > I've done some experimenting. If I take the KVM command as generated > by Proxmox and simply add "-runas nobody" the VM starts up and runs > without a problem. > > However when I try to open a console the KVM process fails. > I suspect this is just some permissions in creating the socket but not > investidated. > > A patch exists to prevent a crash when a socket cannot be opened. > https://lists.gnu.org/archive/html/qemu-devel/2015-05/msg00577.html > > Any chance this security issue can be fixed before the 4.0 release? > > Eric
Hi, Maybe it could even go further, allowing to separate some VMs using different usernames to isolate them somehow? Cheers Gilles _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel