On 08/27/2012 01:11 PM, Henry Cejtin wrote: > I'm completely confused about access to /dev/kvm. In particular, it > looks like it is too open to access, but in a way that I don't > understand. > > On my machine, /dev/kvm is owned by root.root and mode 660. Here is the > output of ls: > > % ls -l /dev/kvm > crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm > > Despite that, when a process is uid 1000 and group id 1000, and not in > any other groups, I can open /dev/kvm. > > I.e., here are the relevant lines from /proc/<pid>/status: > > Uid: 1000 1000 1000 1000 > Gid: 1000 1000 1000 1000 > Groups: 1000 > > Note, just to show this isn't some weirdness in /etc/passwd or > /etc/groups, here is the output of stat on /dev/kvm: > > File: `/dev/kvm' > Size: 0 Blocks: 0 IO Block: 4096 > character special file > Device: 5h/5d Inode: 2597329 Links: 1 Device type: a,e8 > Access: (0660/crw-rw----) Uid: ( 0/ root) Gid: ( 0/ root) > Access: 2012-08-24 15:03:33.616998585 -0500 > Modify: 2012-08-24 15:03:33.616998585 -0500 > Change: 2012-08-24 15:03:33.616998585 -0500 > > Please note, I don't understand how this could really be. Regardless of > what the /dev/kvm driver does, I don't get how I can get to open it if > the file which `is' the device doesn't have the correct permissions. > The driver can make access more restrictive than the file permissions, > but not less restrictive, or so I thought. > > Also, if I try opening /dev/kvm as uid 1001 and group id 1000, again not > in any other groups, it fails. > > I don't understand how this could be. Also, it means that uid 1000/gid > 1000 can run virtual processes. I want to be able to limit that, and I > would have thought that /dev/kvm having mode 660 and being owned by > root.root would have done it. > > If it is any help, I am running a stock Debian Squeeze. The kernel is > 2.6.32-5-amd64. > > Any help or pointers explaining how /dev/kvm can be opened by uid > 1000/gid 1000 would be greatly appreciated. Also any explanation about > why uid 1000 is different than 1001. > > Strange. Try changing the permissions to 600 or 060 to see if it's the user or group that allows you access. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
