On 5/25/21 6:50 PM, Darragh Bailey wrote: > Hi, > > A request has come up recently in vagrant-libvirt about changing the > permissions used for the VM volume image file. > > Currently there is a backing image file uploaded that gets 744 as the file > permissions, and then the VM domain is created using this as the backing > file for any changes. The file containing the changes for the VM gets 600, > so accessing what is contained is limited to libvirt and thus to those that > can connect to libvirt. > > The request is to change this to be 744, it appears to have been triggered > due to a desire to try and use virt-v2v to create a portable XML and export > the disks. > > However I'm a little hesitant as in general I would default to more secure > rather than less secure to avoid creating security concerns down the line. > Even though vagrant-libvirt is typically used for development, it wouldn't > surprise me to see it being used on CI build infrastructure and given the > shared nature of that, making things less secure may cause issues for some > users. Of course working out who would be impacted is virtually impossible > without making the change and seeing who is concerned. And that might be > several months down the line before it's raised. > > Rather than just merging this, wondering if there are any security > guidelines on the file permissions for VM image files? That or something > that can outline the risks, or even clarify that it's unnecessary to worry > about? Disks can contain various secrets (passwords, certificates, private keys, etc.). Historically, libvirt set seclabel on anything that QEMU needed access to and then returned it to root:root when QEMU no longer needed it, exactly because we could not tell if some sensitive info was stored in a file or not. With recent enough libvirt (5.6.0 or newer) libvirt remember the original seclabel (owner + SELinux label) and restores them afterwards. The mode is untouched though. I'd say that if somebody wants a disk to be "shared", e.g. readable by other users on the system, they can put <shareable/> stanza into disk XML. But then again - libvirt doesn't change the mode. So I think it's up to vagrant to decide. Michal
