On Thu, Sep 03, 2020 at 04:22:39PM +0200, Ján Tomko wrote:
> On a Wednesday in 2020, Daniel P. Berrangé wrote:
> > The systemd .socket unit files we ship for libvirt daemons use
> > SocketMode=0666 on the assumption that libvirt is built with
> > polkit which provides access control.
> >
> > Some people, however, may have explicitly turned off polkit at
> > build time and not realize that leaves them insecure unless
> > they also change the SocketMode. This addresses that problem
> > by making the SocketMode default to 0600 when polkit is
> > disabled at compile time.
> >
> > Note we cannot automatically fix the case where the user
> > compiles polkit, but then overrides the libvirtd.conf defaults
> > to disable polkit. This is what lead to CVE-2020-15708 in
> > Ubuntu 20.10. We can at least improve the inline comments
> > in the config file to give a clearer warning though, which
> > may have helped avoid the mistaken config.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > ---
> > src/meson.build | 11 ++++++++++
> > src/remote/libvirtd.conf.in | 40 ++++++++++++++++++++++++++---------
> > src/remote/libvirtd.socket.in | 2 +-
> > 3 files changed, 42 insertions(+), 11 deletions(-)
> >
> > diff --git a/src/meson.build b/src/meson.build
> > index 5d8deaf548..897b5ecbca 100644
> > --- a/src/meson.build
> > +++ b/src/meson.build
> > @@ -713,6 +713,12 @@ foreach data : virt_daemon_confs
> > daemon_conf.set('DAEMON_NAME_UC', name_uc)
> > # to silence meson warning about missing 'CONFIG' in the configuration_data
> > daemon_conf.set('CONFIG', '@CONFIG@')
> > + if conf.has('WITH_POLKIT')
> > + daemon_conf.set('default_auth', 'polkit')
> > + else
> > + daemon_conf.set('default_auth', 'none')
> > + endif
> > +
> >
> > if data.get('with_ip', false)
> > conf_in = libvirtd_conf_tmp
> > @@ -792,6 +798,11 @@ if conf.has('WITH_LIBVIRTD')
> > unit_conf.set('service', unit['service'])
> > unit_conf.set('sockprefix', unit['sockprefix'])
> > unit_conf.set('deps', unit.get('deps', ''))
> > + if conf.has('WITH_POLKIT')
> > + unit_conf.set('mode', '0666')
> > + else
> > + unit_conf.set('mode', '0600')
> > + endif
> >
> > configure_file(
> > input: unit['service_in'],
> > diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
> > index 2607fbad86..ae6207bf54 100644
> > --- a/src/remote/libvirtd.conf.in
> > +++ b/src/remote/libvirtd.conf.in
> > @@ -127,6 +127,8 @@
> > #
> > # Authentication.
> > #
> > +# There are the following choices available:
> > +#
> > # - none: do not perform auth checks. If you can connect to the
> > # socket you are allowed. This is suitable if there are
> > # restrictions on connecting to the socket (eg, UNIX
> > @@ -144,21 +146,39 @@
> > # full read/write access (aka sudo like), while anyone
> > # is allowed read/only access.
> > #
> > +
> > # Set an authentication scheme for UNIX read-only sockets
> > +#
> > # By default socket permissions allow anyone to connect
> > #
> > -# To restrict monitoring of domains you may wish to enable
> > -# an authentication mechanism here
> > -#auth_unix_ro = "none"
> > +# If libvirt was compiled without support for 'polkit', then
> > +# no access control checks are done, but libvirt still only
> > +# allows execution of APIs which don't change state.
> > +#
> > +# If libvirt was compiled with support for 'polkit', then
> > +# the libvirt socket will perform a check with polkit after
> > +# connections. The default policy still allows any local
> > +# user access.
> > +#
> > +# To restrict monitoring of domains you may wish to either
> > +# enable 'sasl' here, or change the polkit policy definition.
> > +#auth_unix_ro = "@default_auth@"
> >
>
> This change affects the augeas tests which will need some special
> treatment:
> https://gitlab.com/libvirt/libvirt/-/jobs/717784534#L2306
Urgh, I wasn't paying attention to CI since it was already broken
for other jobs. I'll post a fix soon.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
