From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
We don't know enough about quality of external libraries used
for non-UNIX transports, nor do we want to spawn external
commands when setuid. Restrict to the bare minimum which is
UNIX transport for local usage. Users shouldn't need to be
running setuid if connecting to remote hypervisors in any
case.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/libvirt.c | 6 ++++++
src/remote/remote_driver.c | 14 ++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/src/libvirt.c b/src/libvirt.c
index 0f8d79a..aec5d80 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -1135,6 +1135,12 @@ do_open(const char *name,
if (name && name[0] == '\0')
name = NULL;
+ if (!name && virIsSUID()) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("An explicit URI must be provided when setuid"));
+ goto failed;
+ }
+
/*
* If no URI is passed, then check for an environment string if not
* available probe the compiled in drivers to find a default hypervisor
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 759383e..c0e508a 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -488,6 +488,20 @@ doRemoteOpen(virConnectPtr conn,
transport = trans_unix;
}
+ /*
+ * We don't want to be executing external programs in setuid mode,
+ * so this rules out 'ext' and 'ssh' transports. Exclude libssh
+ * and tls too, since we're not confident the libraries are safe
+ * for setuid usage. Just allow UNIX sockets, since that does
+ * not require any external libraries or command execution
+ */
+ if (virIsSUID() &&
+ transport != trans_unix) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Only Unix socket URI transport is allowed in setuid mode"));
+ return VIR_DRV_OPEN_ERROR;
+ }
+
/* Local variables which we will initialize. These can
* get freed in the failed: path.
*/
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list