Richard W.M. Jones
2022-Mar-22 14:35 UTC
[Libguestfs] [PATCH v2v] lib: Use an ACL to allow qemu to access the v2v directory
When using the libvirt backend and running as root, libvirt will run qemu as a non-root user (eg. qemu:qemu). The v2v directory stores NBD endpoints that qemu must be able to open and so we set the directory to mode 0711. Unfortunately this permits any non-root user to open the sockets (since, by design, they have predictable names within the directory). So instead of using directory permissions, use an ACL which allows us to precisely give access to the qemu user and no one else. Reported-by: Xiaodai Wang Thanks: Dr David Gilbert Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2066773 --- lib/utils.ml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/utils.ml b/lib/utils.ml index 757bc73c8e..5623250832 100644 --- a/lib/utils.ml +++ b/lib/utils.ml @@ -158,8 +158,12 @@ let error_if_no_ssh_agent () (* Create the directory containing inX and outX sockets. *) let create_v2v_directory () let d = Mkdtemp.temp_dir "v2v." in + (* If running as root, and if the backend is libvirt, libvirt + * will run qemu as a non-root user. Allow qemu to open the directory. + *) let running_as_root = Unix.geteuid () = 0 in - if running_as_root then Unix.chmod d 0o711; + if running_as_root && backend_is_libvirt () then + ignore (Sys.command (sprintf "setfacl -m user:qemu:rwx %s" (quote d))); On_exit.rmdir d; d -- 2.35.1
Laszlo Ersek
2022-Mar-22 16:10 UTC
[Libguestfs] [PATCH v2v] lib: Use an ACL to allow qemu to access the v2v directory
On 03/22/22 15:35, Richard W.M. Jones wrote:> When using the libvirt backend and running as root, libvirt will run > qemu as a non-root user (eg. qemu:qemu). The v2v directory stores NBD > endpoints that qemu must be able to open and so we set the directory > to mode 0711. Unfortunately this permits any non-root user to open > the sockets (since, by design, they have predictable names within the > directory).Are the NBD socket pathnames visible on the QEMU command line ("ps -ef" or "ps auxwww")? If not, then the issue could be prevented by inserting a directory with a hard-to-guess name in the middle (e.g. one named by uuidgen).> > So instead of using directory permissions, use an ACL which allows us > to precisely give access to the qemu user and no one else.If we may assume the "qemu" user name (and we're root), we can just give qemu:root ownership to the directory, and file mode bits 0700. The qemu user will have access, and v2v (running as root) will not be hindered by a theoretical lack of access rights.> > Reported-by: Xiaodai Wang > Thanks: Dr David Gilbert > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2066773 > --- > lib/utils.ml | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/lib/utils.ml b/lib/utils.ml > index 757bc73c8e..5623250832 100644 > --- a/lib/utils.ml > +++ b/lib/utils.ml > @@ -158,8 +158,12 @@ let error_if_no_ssh_agent () > (* Create the directory containing inX and outX sockets. *) > let create_v2v_directory () > let d = Mkdtemp.temp_dir "v2v." in > + (* If running as root, and if the backend is libvirt, libvirt > + * will run qemu as a non-root user. Allow qemu to open the directory. > + *) > let running_as_root = Unix.geteuid () = 0 in > - if running_as_root then Unix.chmod d 0o711; > + if running_as_root && backend_is_libvirt () then > + ignore (Sys.command (sprintf "setfacl -m user:qemu:rwx %s" (quote d))); > On_exit.rmdir d; > d > >Not ideal -- yet another facility, in order to get around a security measure we put in place ourselves -- but it gets the job done... Acked-by: Laszlo Ersek <lersek at redhat.com>