[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
This bug was fixed in the package libvirt - 4.0.0-1ubuntu5 --- libvirt (4.0.0-1ubuntu5) bionic; urgency=medium * run dnsmasq as libvirt-dnsmasq (LP: #1743718) - d/libvirt-daemon-system.postinst: add libvirt-dnsmasq user and group - d/libvirt-daemon-system.postrm: remove libvirt-dnsmasq user and group on purge - d/p/ubuntu/dnsmasq-as-priv-user: write dnsmas config with user libvirt-dnsmasq and adapt the self tests to expect that config - d/libvirt-daemon-system.postinst: fix old libvirt-dnsmasq users * Backport from recent upstream to stabilize libvirt (LP: #1754352) - d/p/stable/0024-qemu-blockcopy-Add-check-for-bandwidth.patch - d/p/stable/0025-conf-move-generated-member-from-virMacAddr-to-virDom.patch - d/p/stable/0026-lxc-Drop-useless-check-in-live-device-update.patch - d/p/stable/0027-Pass-oldDev-to-virDomainDefCompatibleDevice-on-devic.patch - d/p/stable/0028-qemu-Fix-updating-device-with-boot-order.patch - d/p/stable/0030-daemon-fix-rpc-event-leak-on-error-path-in-remoteDis.patch - d/p/stable/0029-lxc-fix-rpc-event-leak-on-error-path-in-virLXCContro.patch - d/p/stable/0031-qemu-fix-memory-leak-of-vporttype-during-migration.patch - d/p/stable/0032-virsh-fixing-segfault-by-pool-autocompleter-function.patch * d/p/ubuntu-aa/0041-apparmor-add-ro-rule-for-sasl-GSSAPI- plugin-on-etc-g.patch fix issues if sasl is configured (LP: #1696471) * d/p/ubuntu-aa/0042-virt-aa-helper-resolve-yet-to-be-created-paths.patch ensure symlinks are resolved to get valid rules if interim parts of a path are a symlink (LP: #1752361) -- Christian EhrhardtTue, 27 Feb 2018 12:04:02 +0100 ** Changed in: libvirt (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
** Tags added: 4.0.0-1ubuntu5 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
Thanks Christian, this is very nice. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
A fix for this is queued up for when a few more apparmor issues got an ack upstream so I can deal with them in one upload. Until that feel free to review [1]. It includes the old code plus: - creation for an own group (after discussion with Seth on the sprint) - upgrade from Xenial will fix the old group to the new one - remove user/group on purge [1]: https://git.launchpad.net/~libvirt- maintainers/ubuntu/+source/libvirt/commit/?h=ubuntu/bionic-4.0=5dfa2589f20cc2f16c8b5d1952272c9e945d84fa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
I have something prepared that "works" but I'm not really happy. I'll discuss with Seth on the sprint next week on the options we have on this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
I looked at bringing back the old Delta, updating it to the new libvirt and fixing up the issues we had in the past: 1. not be part of the livbirt group (worse than user nobody) 2. remove users on purge I wonder on the group it should get ... adduser by default for a --system group picks "nogroup". Is that safe to use, or do we also want/need to create a libvirt-dnsmasq group? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
Thanks Christian, I think you're right that creating a new user account for this service is the way to go. Nice catch from Guido to *not* give libvirt group membership. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
Hmm, not sure why my mailer decided this isn't important - it is! Lost a few days on it due to not being visible yet - I beg all your pardon for this. /slap my mail filers This essentially came due to: 1. myself wanting to bring the Delta we had (by Serge) to run as libvirt-dnsmasq to Debian in [1] 2. out of the discussion in said bug it was decided to be a security risk. I don't have good logs to share (IRC/Mails/Hangout-Talks), but the TL;DR was "do not run it as that user" 3. out of that discussion the change causing this happened in [2] I think I want to re-fix that at least for bionic to bring back Serges changes. But in a modified way so they do not trigger the security issues found back then. They'll probably get an own group at least ... I also need to look more into the issue that arises due to it for you by reading more into the comments above... @Seth - any recommendation which user would be best for security isolation. Is an own one (but also with an own group this time) the best we can do? [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862340 [2]: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1690729 ** Bug watch added: Debian Bug tracker #862340 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862340 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1743718 Title: libvirt-daemon-system package runs dnsmasq as nobody To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1743718/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1743718] Re: libvirt-daemon-system package runs dnsmasq as nobody
** Description changed: - libvirt-daemon-system package runs two seemingly-identical (same - invocation, same config file) copies of dnsmasq (one of which runs as - root). Presumably only one copy should be running, owned by 'nobody'. - + libvirt-daemon-system package runs dnsmasq as 'nobody'. $ lsb_release -rd Description: Ubuntu Bionic Beaver (development branch) Release: 18.04 - $ apt-cache policy libvirt-daemon-system libvirt-daemon-system: - Instal·lat: 3.6.0-1ubuntu6 - Candidat: 3.6.0-1ubuntu6 - Taula de versió: - *** 3.6.0-1ubuntu6 500 - 500 http://es.archive.ubuntu.com/ubuntu bionic/main amd64 Packages - 100 /var/lib/dpkg/status - + Instal·lat: 3.6.0-1ubuntu6 + Candidat: 3.6.0-1ubuntu6 + Taula de versió: + *** 3.6.0-1ubuntu6 500 + 500 http://es.archive.ubuntu.com/ubuntu bionic/main amd64 Packages + 100 /var/lib/dpkg/status $ sudo apt install libvirt-daemon-system - S'està llegint la llista de paquets… Fet - S'està construint l'arbre de dependències + S'està llegint la llista de paquets… Fet + S'està construint l'arbre de dependències S'està llegint la informació de l'estat… Fet S'instal·laran els següents paquets extres: - libvirt-daemon + libvirt-daemon Paquets suggerits: - numad radvd auditd systemtap nfs-common zfsutils pm-utils + numad radvd auditd systemtap nfs-common zfsutils pm-utils S'instal·laran els paquets NOUS següents: - libvirt-daemon libvirt-daemon-system + libvirt-daemon libvirt-daemon-system 0 actualitzats, 2 nous a instal·lar, 0 a suprimir i 0 no actualitzats. S'ha d'obtenir 0 B/2227 kB d'arxius. Després d'aquesta operació s'empraran 10,3 MB d'espai en disc addicional. - Voleu continuar? [S/n] + Voleu continuar? [S/n] S'estan preconfigurant els paquets... S'està seleccionant el paquet libvirt-daemon prèviament no seleccionat. (S'està llegint la base de dades… hi ha 150336 fitxers i directoris instal·lats actualment.) S'està preparant per a desempaquetar …/libvirt-daemon_3.6.0-1ubuntu6_amd64.deb… S'està desempaquetant libvirt-daemon (3.6.0-1ubuntu6)… S'està seleccionant el paquet libvirt-daemon-system prèviament no seleccionat. S'està preparant per a desempaquetar …/libvirt-daemon-system_3.6.0-1ubuntu6_amd64.deb… S'està desempaquetant libvirt-daemon-system (3.6.0-1ubuntu6)… S'estan processant els activadors per a ureadahead (0.100.0-20)… ureadahead will be reprofiled on next reboot S'està configurant libvirt-daemon (3.6.0-1ubuntu6)… S'estan processant els activadors per a systemd (235-3ubuntu3)… S'estan processant els activadors per a man-db (2.7.6.1-4)… S'està configurant libvirt-daemon-system (3.6.0-1ubuntu6)… S'està afegint l'usuari libvirt-qemu al grup libvirt-qemu Created symlink /etc/systemd/system/multi-user.target.wants/libvirt-guests.service → /lib/systemd/system/libvirt-guests.service. Created symlink /etc/systemd/system/libvirt-bin.service → /lib/systemd/system/libvirtd.service. Created symlink /etc/systemd/system/multi-user.target.wants/libvirtd.service → /lib/systemd/system/libvirtd.service. Created symlink /etc/systemd/system/sockets.target.wants/virtlockd.socket → /lib/systemd/system/virtlockd.socket. Created symlink /etc/systemd/system/sockets.target.wants/virtlogd.socket → /lib/systemd/system/virtlogd.socket. virtlockd.service is a disabled or a static unit, not starting it. Setting up libvirt-daemon dnsmasq configuration. S'estan processant els activadors per a ureadahead (0.100.0-20)… S'estan processant els activadors per a systemd (235-3ubuntu3)… - $ service libvirtd status ● libvirtd.service - Virtualization daemon -Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: -Active: active (running) since Tue 2018-01-16 18:16:08 CET; 7s ago - Docs: man:libvirtd(8) -http://libvirt.org - Main PID: 3476 (libvirtd) - Tasks: 18 (limit: 32768) -CGroup: /system.slice/libvirtd.service -├─3476 /usr/sbin/libvirtd -├─3771 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default -└─3772 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default + Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: + Active: active (running) since Tue 2018-01-16 18:16:08 CET; 7s ago + Docs: man:libvirtd(8) + http://libvirt.org + Main PID: 3476 (libvirtd) + Tasks: 18 (limit: 32768) + CGroup: /system.slice/libvirtd.service + ├─3476 /usr/sbin/libvirtd + ├─3771 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default + └─3772 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default gen 16 18:16:08 desktop systemd[1]: Started Virtualization daemon. gen 16 18:16:09 desktop dnsmasq[3771]: started, version 2.78 cachesize 150 gen 16 18:16:09 desktop dnsmasq[3771]: compile time options: IPv6 GNU-getopt DBu