[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[Launchpad Bug Tracker]

This bug was fixed in the package libvirt - 4.0.0-1ubuntu5

---
libvirt (4.0.0-1ubuntu5) bionic; urgency=medium

  * run dnsmasq as libvirt-dnsmasq (LP: #1743718)
- d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group
- d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on
  purge
- d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user
  libvirt-dnsmasq and adapt the self tests to expect that config
- d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users
  * Backport from recent upstream to stabilize libvirt (LP: #1754352)
- d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch
- d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch
- d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch
- d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch
- d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch
- d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch
- d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch
- d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch
- d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch
  * d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI-
plugin-on-etc-g.patch fix issues if sasl is configured (LP: #1696471)
  * d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch
ensure symlinks are resolved to get valid rules if interim parts of a path
are a symlink (LP: #1752361)

 -- Christian Ehrhardt   Tue, 27 Feb
2018 12:04:02 +0100

** Changed in: libvirt (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[ChristianEhrhardt]

** Tags added: 4.0.0-1ubuntu5

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[Seth Arnold]

Thanks Christian, this is very nice.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[ChristianEhrhardt]

A fix for this is queued up for when a few more apparmor issues got an
ack upstream so I can deal with them in one upload.

Until that feel free to review [1].
It includes the old code plus:
- creation for an own group (after discussion with Seth on the sprint)
- upgrade from Xenial will fix the old group to the new one
- remove user/group on purge

[1]: https://git.launchpad.net/~libvirt-
maintainers/ubuntu/+source/libvirt/commit/?h=ubuntu/bionic-4.0=5dfa2589f20cc2f16c8b5d1952272c9e945d84fa

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[ChristianEhrhardt]

I have something prepared that "works" but I'm not really happy.
I'll discuss with Seth on the sprint next week on the options we have on this.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[ChristianEhrhardt]

I looked at bringing back the old Delta, updating it to the new libvirt and 
fixing up the issues we had in the past:
1. not be part of the livbirt group (worse than user nobody)
2. remove users on purge

I wonder on the group it should get ...
adduser by default for a --system group picks "nogroup".
Is that safe to use, or do we also want/need to create a libvirt-dnsmasq group?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[Seth Arnold]

Thanks Christian, I think you're right that creating a new user account
for this service is the way to go. Nice catch from Guido to *not* give
libvirt group membership.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[ChristianEhrhardt]

Hmm,
not sure why my mailer decided this isn't important - it is!
Lost a few days on it due to not being visible yet - I beg all your pardon for 
this.
/slap my mail filers

This essentially came due to:
1. myself wanting to bring the Delta we had (by Serge) to run as 
libvirt-dnsmasq to Debian in [1] 
2. out of the discussion in said bug it was decided to be a security risk. I 
don't have good logs to share (IRC/Mails/Hangout-Talks), but the TL;DR was "do 
not run it as that user"
3. out of that discussion the change causing this happened in [2]

I think I want to re-fix that at least for bionic to bring back Serges changes.
But in a modified way so they do not trigger the security issues found back 
then.
They'll probably get an own group at least ...

I also need to look more into the issue that arises due to it for you by
reading more into the comments above...

@Seth - any recommendation which user would be best for security
isolation. Is an own one (but also with an own group this time) the best
we can do?

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862340
[2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1690729

** Bug watch added: Debian Bug tracker #862340
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862340

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1743718

Title:
  libvirt-daemon-system package runs dnsmasq as nobody

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody

[Apicultor]

** Description changed:

- libvirt-daemon-system package runs two seemingly-identical (same
- invocation, same config file) copies of dnsmasq (one of which runs as
- root). Presumably only one copy should be running, owned by 'nobody'.
- 
+ libvirt-daemon-system package runs dnsmasq as 'nobody'.
  
  $ lsb_release -rd
  Description:  Ubuntu Bionic Beaver (development branch)
  Release:  18.04
  
- 
  $ apt-cache policy libvirt-daemon-system
  libvirt-daemon-system:
-   Instal·lat: 3.6.0-1ubuntu6
-   Candidat:   3.6.0-1ubuntu6
-   Taula de versió:
-  *** 3.6.0-1ubuntu6 500
- 500 http://es.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
- 100 /var/lib/dpkg/status
- 
+   Instal·lat: 3.6.0-1ubuntu6
+   Candidat:   3.6.0-1ubuntu6
+   Taula de versió:
+  *** 3.6.0-1ubuntu6 500
+ 500 http://es.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
+ 100 /var/lib/dpkg/status
  
  $ sudo apt install libvirt-daemon-system
- S'està llegint la llista de paquets… Fet 
- S'està construint l'arbre de dependències   
+ S'està llegint la llista de paquets… Fet
+ S'està construint l'arbre de dependències
  S'està llegint la informació de l'estat… Fet
  S'instal·laran els següents paquets extres:
-   libvirt-daemon
+   libvirt-daemon
  Paquets suggerits:
-   numad radvd auditd systemtap nfs-common zfsutils pm-utils
+   numad radvd auditd systemtap nfs-common zfsutils pm-utils
  S'instal·laran els paquets NOUS següents:
-   libvirt-daemon libvirt-daemon-system
+   libvirt-daemon libvirt-daemon-system
  0 actualitzats, 2 nous a instal·lar, 0 a suprimir i 0 no actualitzats.
  S'ha d'obtenir 0 B/2227 kB d'arxius.
  Després d'aquesta operació s'empraran 10,3 MB d'espai en disc addicional.
- Voleu continuar? [S/n] 
+ Voleu continuar? [S/n]
  S'estan preconfigurant els paquets...
  S'està seleccionant el paquet libvirt-daemon prèviament no seleccionat.
  (S'està llegint la base de dades… hi ha 150336 fitxers i directoris 
instal·lats actualment.)
  S'està preparant per a desempaquetar 
…/libvirt-daemon_3.6.0-1ubuntu6_amd64.deb…
  S'està desempaquetant libvirt-daemon (3.6.0-1ubuntu6)…
  S'està seleccionant el paquet libvirt-daemon-system prèviament no seleccionat.
  S'està preparant per a desempaquetar 
…/libvirt-daemon-system_3.6.0-1ubuntu6_amd64.deb…
  S'està desempaquetant libvirt-daemon-system (3.6.0-1ubuntu6)…
  S'estan processant els activadors per a ureadahead (0.100.0-20)…
  ureadahead will be reprofiled on next reboot
  S'està configurant libvirt-daemon (3.6.0-1ubuntu6)…
  S'estan processant els activadors per a systemd (235-3ubuntu3)…
  S'estan processant els activadors per a man-db (2.7.6.1-4)…
  S'està configurant libvirt-daemon-system (3.6.0-1ubuntu6)…
  S'està afegint l'usuari libvirt-qemu al grup libvirt-qemu
  Created symlink 
/etc/systemd/system/multi-user.target.wants/libvirt-guests.service → 
/lib/systemd/system/libvirt-guests.service.
  Created symlink /etc/systemd/system/libvirt-bin.service → 
/lib/systemd/system/libvirtd.service.
  Created symlink /etc/systemd/system/multi-user.target.wants/libvirtd.service 
→ /lib/systemd/system/libvirtd.service.
  Created symlink /etc/systemd/system/sockets.target.wants/virtlockd.socket → 
/lib/systemd/system/virtlockd.socket.
  Created symlink /etc/systemd/system/sockets.target.wants/virtlogd.socket → 
/lib/systemd/system/virtlogd.socket.
  virtlockd.service is a disabled or a static unit, not starting it.
  Setting up libvirt-daemon dnsmasq configuration.
  S'estan processant els activadors per a ureadahead (0.100.0-20)…
  S'estan processant els activadors per a systemd (235-3ubuntu3)…
  
- 
  $ service libvirtd status
  ● libvirtd.service - Virtualization daemon
-Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor 
preset:
-Active: active (running) since Tue 2018-01-16 18:16:08 CET; 7s ago
-  Docs: man:libvirtd(8)
-http://libvirt.org
-  Main PID: 3476 (libvirtd)
- Tasks: 18 (limit: 32768)
-CGroup: /system.slice/libvirtd.service
-├─3476 /usr/sbin/libvirtd
-├─3771 /usr/sbin/dnsmasq 
--conf-file=/var/lib/libvirt/dnsmasq/default
-└─3772 /usr/sbin/dnsmasq 
--conf-file=/var/lib/libvirt/dnsmasq/default
+    Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor 
preset:
+    Active: active (running) since Tue 2018-01-16 18:16:08 CET; 7s ago
+  Docs: man:libvirtd(8)
+    http://libvirt.org
+  Main PID: 3476 (libvirtd)
+ Tasks: 18 (limit: 32768)
+    CGroup: /system.slice/libvirtd.service
+    ├─3476 /usr/sbin/libvirtd
+    ├─3771 /usr/sbin/dnsmasq 
--conf-file=/var/lib/libvirt/dnsmasq/default
+    └─3772 /usr/sbin/dnsmasq 
--conf-file=/var/lib/libvirt/dnsmasq/default
  
  gen 16 18:16:08 desktop systemd[1]: Started Virtualization daemon.
  gen 16 18:16:09 desktop dnsmasq[3771]: started, version 2.78 cachesize 150
  gen 16 18:16:09 desktop dnsmasq[3771]: compile time options: IPv6 GNU-getopt 
DBu