Re: security: the qemu agent command "guest-exec" may cause Insider Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 25, 2017 at 06:45:18AM +0000, Zhangbo (Oscar) wrote:
Hi all:
    The Host Administrator is capable of running any exec in guests via the qemu-ga command "guest-exec", eg:

       virsh qemu-agent-command test_guest '{"execute": "guest-exec", "arguments": {"path": "ifconfig", "arg": [ "eth1", "192.168.0.99" ],"capture-output": true } }'
{"return":{"pid":12425}}
      virsh qemu-agent-command test_guest '{"execute": "guest-exec-status", "arguments": { "pid": 12425 } }'
{"return":{"exitcode":0,"exited":true}}

     The example above just change the guests' ip address, the Administrator may also change guests' user password, get sensitive information, etc. which causes Insider Access.
     The Administrator also can use other commands such as " guest-file-open" that also cause Insider Access.

     So, how to avoid this security problem, what's your suggestion?
     Thanks!


What's your setup that this, in particular, is your concern?  Do you
have everything encrypted by keys that are not reachable for the host
administrator?  How are those saved?  For example, how do you guard
against the host administrator killing the domain?  Or mounting the disk
of the domain, doing whatever they want to with it and starting it back?
Or million other things that come to mind.  Not trusting the host
administrator is kinda (well, precisely) like not trusting root on *NIX
machine.

Martin

P.S.: Maybe more aluminium could help, but I haven't tried yet.

Best Regrads
Oscar

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

Attachment: signature.asc
Description: Digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux