On Fri, Aug 30, 2024 at 14:43:02 +0200, Lee Garrett wrote: > Hi everyone, > > while using virt-v2v I've hit an issue [0], where essentially virt-v2v fails > as non-root user, due to /var/lib/libvirt/images/ belonging to root:root. I > proposed to change the ownership to root:libvirt, and permission bits to > ug=rwx,o=x, as that would allow users of the libvirt group to use virt-v2v > without running as root. Non-root users of libvirt can still keep their images in the home directory and don't actually have to use /var/lib/libvirt/images. virt-v2v in non-root mode should not actually use that directory but rather use one in the path it is allowed to. > My questions here are: Are there any downsides to this? AFAICS users of the > libvirt group are allowed changed images via the libvirt API anyway, so from > the security standpoint there should be no change. And if there are none, > can we change the upstream default to those permissions? By default non-root users are required to authenticate via polkit first to access the system (root) instance of libvirt daemons. Then they normally can use all of libvirt APIs, but admins can also define ACL rules for certain objects removing the ability to see or manage certain objects or restrict certain actions (based on what the admin wants). Effectively a user of the system instance who is allowed to modify the VM xml has access level equivalent to the root user as VM xml can be crafted such that it executes a binary as root. Users wanting to use the non-root (session) instance don't need to actually be part of the libvirt group and thus don't have access to the system instance at all. Allowing 'w=rw' on a directory can bypass the ACL rules if there were any restrictions placed on them. Additionally as users of session instance of libvirt don't even need to be part of the privikleged group. Also in cases when the system is set up to have a different filesystem for home directories, this could bypass this split by allowing certain users to write into /var/. As of such I don't think we'd want to do what you propose. > Thanks in advance, > Lee > > P.S.: Keep me CCed, I'm off-list. > > [0] downstream Debian bug with more details: https://bugs.debian.org/1054230 >
