[Bug 691590] Re: libvirt should not take ownership of ISO images
This really feels like a serious security bug. The whole point of running qemu as non root is to prevent it from accessing files that you haven't given it permission to. By blindly chowning files to the qemu user, you allow for the user who is given permission to run virtual machines to start one with direct access to your /boot partition and hack the host system. Even if you do wish to bypass permissions and allow the vm access to whatever file a vm admin has configured it to ( under the assumption that they are trusted as if root ), you don't do that with the sledge hammer of chowning the file; you open the file while still root, and pass the open file descriptor to qemu. Really, it should assume the identity of the user who is requesting that the vm be started and open the file as them rather than root, thus restricting access only to the files that user has access to, but that may be considered a separate issue. For now I will focus on at least getting rid of the bad behavior of permanently chowning files. ** Changed in: libvirt (Ubuntu) Status: Won't Fix => Triaged ** Changed in: libvirt (Ubuntu) Assignee: (unassigned) => Phillip Susi (psusi) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/691590/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
yes, I can set a readonly mount. Will have it set in a few. Thank you, Serge. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/691590/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
See https://www.redhat.com/archives/libvir- list/2011-October/msg00104.html and https://www.redhat.com/archives /libvir-list/2011-October/msg00110.html for the upstream response. The first message describes the proper fix (switching from chown to acls in the dac security code). The second suggests using a readonly mount for the isos. Is it possible to use a read-only bind mount of the mirror directory for your libvirt VMs? You can either mount it elsewhere, or else have /etc/init/libvirt unshare a new mount namespace and remount the mirror directory read-only in place before starting libvirtd. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/691590/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
Re-verified the bug and the patch, and sent the patch to the upstream mailing list: https://www.redhat.com/archives/libvir-list/2011-September/msg00458.html If upstream rejects this, then I will mark the bug wontfix. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in Ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images To manage notifications about this bug go to: https://bugs.launchpad.net/libvirt/+bug/691590/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
It seems the ISOs are hosed right now, I get a sudden reboot in the basic package install. But -- as far as this bug is concerned -- the ISOs ownership are maintained on the original owner. Perfect, Serge. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
Thank you, Serge. Testing it now. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
A package with the proposed fix is available for natty in ppa:serge- hallyn/virt. If this does what you need, then we can proceed to talk to the libvirt community. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
** Attachment added: "Proposed patch to not chown isos" https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/691590/+attachment/1774914/+files/debdiff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
** Bug watch added: Red Hat Bugzilla #568935 https://bugzilla.redhat.com/show_bug.cgi?id=568935 ** Also affects: libvirt via https://bugzilla.redhat.com/show_bug.cgi?id=568935 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
I intend to write a patch to make this behavior an option, and send it to the libvirt list for comment. ** Changed in: libvirt (Ubuntu) Status: New => Triaged ** Changed in: libvirt (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
Actually, no... theonly change is the owner got to be root, from libvirt. I still am not convinced a read-only ISO has to be chown-ed to the libvirt account. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
So does that suffice for your needs? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
A correction on the above "I just tried with qemu.conf setting user/group to root -- the ISO gets chown-ed to root:root, 0600.": Actually, the permissions are kept as they were. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
@Clint: zsync does the same (writes the updated file to a temp, then renames/unlinks/whatever -- did not check the source). @Jamie: I just tried with qemu.conf setting user/group to root -- the ISO gets chown-ed to root:root, 0600. So, no dice here. Nevertheless, my whole point is it does not make much sense, security-wise, to chown a read-only file: it is an ISO image, and it is mounted on the CDROM: (...) If the file is never chown-ed to libvirt:kvm/whatever, then there is no race -- the file will keep the current ownership. Obviously, this does not apply to the qcow2 disc -- there is a clear exposure there. Now, why does libvirt in user-mode also chown the discs? I would expect the user- mode to run under the control (and ownership, at least for the disc images) of the effective userId that started the VM. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
This whole bug is about libvirt's DAC security driver. It will chown files to the user that kvm runs as. On Ubuntu, this is the libvirt- qemu:kvm user (adjustable via /etc/libvirt/qemu.conf). If you look at the ISO file, its ownership should have been changed to this user. The DAC security driver cannot be disabled like the other security drivers (eg AppArmor and SELinux), but is instead either used alone or with one other security driver (AppArmor on Ubuntu). I believe that if libvirt is configured to run kvm as root, then the DAC driver will not chown files (because it doesn't have to-- with DAC root can read anything). This was the case on Lucid iirc. As a workaround, you should be able to configure /etc/libvirt/qemu.conf to use: user = "root" group = "root" and the problem should go away (not tested on maverick or natty libvirt). Because kvm is still confined by AppArmor in this configuration, the security stance is not greatly diminished. This was the default in Lucid. I've not looked at how well libvirt handles chowning files, but I imagine one reason why it works the way it does is if libvirt chowned back to the user, this is a potential race condition and security issue-- ie, libvirt chowns the ISO to libvirt-qemu:kvm, then starts the machine. Now I hard link the ISO to /etc/shadow and shutdown the machine. libvirt chowns /etc/shadow to my user and group. Granted, members of the libvirtd group (ie access to qemu:///system) are considered privileged anyway (they have access to raw disks among other things), but with the above described scenario, it is far too easy to escalate privileges. Chowning to libvirt-qemu:kvm is potentially problematic as well, but the hard link to /etc/shadow is less interesting there since the user isn't libvirt-qemu and the kvm group membership doesn't gain you as much (setgid should be stripped on chgrp in Linux, and group writable files are not as common (though there are a few that are interesting)). Natty has some kernel protections that could help here, but they are upstream and upstream libvirt would not be able to rely on them being present. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
Serge, from what I understand of rsync, it never writes directly to the destination file, it will create a temporary hidden file and write to that, then unlink/rename when the transfer is complete. So the steps can just be rsync rsync://mirror/file.iso orig.iso it won't interfere at all with anything that has the .iso opened.. it will be like any other unlinked open file. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
Yes, this would work (as long as the process doing this move owns the directory -- otherwise it is still an error 13). The whole point, though, is that libvirt does not need to take ownership of a *read-only* file. At least it could revert the ownership when the VM is closed, if you want to protect against an ISO update while the ISO is in use by libvirt. Or use flock, or something. But this (update-while-somebody-is- using) is a common issue on *IX, and still we do not see ownership being unilaterally changed. Of course, we can also bypass by using 'sudo', but this would break the least privilege principle. ** Changed in: libvirt (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
I don't think it would be safe at any rate to have the ISO images be written to while kvm is reading them. Would it be ok to work around this another way? Perhaps the right way to update the ISOs is: cp orig.iso new.iso rsync -Pv mirror://updated_iso.iso new.iso rm orig.iso mv new.iso orig.iso This way you can still minimize network traffic, while syncing to a temporary copy. After the 'rm orig.iso', libvirt and kvm will continue to use the original, deleted file, until they close it. Then, the next time they open 'orig.iso', they'll get the new file. Would that be conceivable with your mirroring setup? ** Changed in: libvirt (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 691590] Re: libvirt should not take ownership of ISO images
** Tags added: iso-testing -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libvirt in ubuntu. https://bugs.launchpad.net/bugs/691590 Title: libvirt should not take ownership of ISO images -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs