Re: [PATCH] m4: Change default QEMU credentials to qemu:qemu

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 26, 2019 at 04:20:02PM +0100, Pavel Hrdina wrote:
> On Tue, Mar 26, 2019 at 01:36:14PM +0000, Daniel P. Berrangé wrote:
> > On Tue, Mar 26, 2019 at 02:30:00PM +0100, Pavel Hrdina wrote:
> > > On Tue, Mar 26, 2019 at 01:20:46PM +0000, Daniel P. Berrangé wrote:
> > > > On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote:
> > > > > Our current defaults are root:wheel on FreeBSD and macOS, root:root
> > > > > everywhere else.
> > > > > 
> > > > > Looking at what downstream distributions actually do, we can see that
> > > > > these defaults are overriden the vast majority of the time, with a
> > > > > number of variations showing up in the wild:
> > > > > 
> > > > >   * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL
> > > > >                  and... As it turns out, our very own spec file :)
> > > > > 
> > > > >   * libvirt-qemu:libvirt-qemu -> Used by Debian.
> > > > > 
> > > > >   * libvirt-qemu:kvm -> Used by Ubuntu.
> > > > > 
> > > > >   * nobody:nobody -> Used by Arch Linux.
> > > > > 
> > > > > Based on the above, we can conclude that qemu:qemu are the preferred
> > > > > credentials to be used when spawning a QEMU process, while our
> > > > > current defaults get very little love.
> > > > > 
> > > > > Changing our defaults aligns with what most downstreams are actually
> > > > > doing, promotes running QEMU under a non-root user - which is a very
> > > > > good idea anyway - and shields random people building libvirt from
> > > > > source from unwittingly running their guests as root.
> > > > 
> > > > While I understand the motivation, this impl is problematic because
> > > > it will guarantee that someone building & installing libvirt from
> > > > source on Debian, Ubuntu and Arch will have a non-functional QEMU
> > > > driver as it will try to use a "qemu:qemu" user/group which does
> > > > not exist on those distros.
> > > > 
> > > > If we want to change this, we must ensure that we honour the distro
> > > > specific user/group names you show above, and fallback to root/root
> > > > for distros we don't know about.
> > > 
> > > Or possibly we can fallback to nobody or similar that is used by every
> > > distro.  That way we would not use root:root for unknown distros as
> > > well.
> > 
> > I'm not sure falling back to "nobody" is a good idea. The "nobody"
> > account is often used for setting file permissions on things that
> > nothing should be allowed to access. By running qemu as "nobody"
> > we would be given access to those files which may be a security
> > issue.  Yes Arch is using this account, so they've decided it is
> > safe for their distro, but we can't assume other distros use "nobody"
> > the same way as Arch.
> 
> Right, did not realize that.  I guess that there is no other user widely
> used by majority of distributions so we probably need to fallback to
> root:root.

Of course I should note running with root:root is guaranteed to be
insecure on every distro :-) The point is more that running as "nobody"
potentially gives a potentially problematic sense of security.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux