Re: Recommended volume permissions (being created for vagrant-libvirt via fog-libvirt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/25/21 6:50 PM, Darragh Bailey wrote:
> Hi,
> 
> A request has come up recently in vagrant-libvirt about changing the
> permissions used for the VM volume image file.
> 
> Currently there is a backing image file uploaded that gets 744 as the file
> permissions, and then the VM domain is created using this as the backing
> file for any changes. The file containing the changes for the VM gets 600,
> so accessing what is contained is limited to libvirt and thus to those that
> can connect to libvirt.
> 
> The request is to change this to be 744, it appears to have been triggered
> due to a desire to try and use virt-v2v to create a portable XML and export
> the disks.
> 
> However I'm a little hesitant as in general I would default to more secure
> rather than less secure to avoid creating security concerns down the line.
> Even though vagrant-libvirt is typically used for development, it wouldn't
> surprise me to see it being used on CI build infrastructure and given the
> shared nature of that, making things less secure may cause issues for some
> users. Of course working out who would be impacted is virtually impossible
> without making the change and seeing who is concerned. And that might be
> several months down the line before it's raised.
> 
> Rather than just merging this, wondering if there are any security
> guidelines on the file permissions for VM image files? That or something
> that can outline the risks, or even clarify that it's unnecessary to worry
> about?

Disks can contain various secrets (passwords, certificates, private
keys, etc.). Historically, libvirt set seclabel on anything that QEMU
needed access to and then returned it to root:root when QEMU no longer
needed it, exactly because we could not tell if some sensitive info was
stored in a file or not.

With recent enough libvirt (5.6.0 or newer) libvirt remember the
original seclabel (owner + SELinux label) and restores them afterwards.
The mode is untouched though.

I'd say that if somebody wants a disk to be "shared", e.g. readable by
other users on the system, they can put <shareable/> stanza into disk
XML. But then again - libvirt doesn't change the mode. So I think it's
up to vagrant to decide.

Michal




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux