Libvirt Security Notice: LSN-2008-0001

Missing checks for read only connections on many APIs

Lifecycle

Reported on: 20081212
Published on: 20081217
Fixed on: 20081217

Credits

Reported by: Daniel P. Berrange
Patched by: Daniel P. Berrange

See also

Description

The APIs virDomainMigrate, virDomainBlockPeek, virDomainMemoryPeek, virDomainSetAutostart, virNetworkSetAutostart, virConnectFindStoragePoolSources and virStoragePoolSetAutostart did not check the read-only flag of the connection. This allowed unprivileged users to invoke APIs that they should not have access to.

Impact

The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can migrate a running virtual machine to a host of their choice. Any local user can change whether virtual machines, networks or storage pools started automatically on boot. Any local user can trigger discovery of storage pools. Any local user can peek into the disk image or memory of running guests.

Workaround

Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.

Affected product: libvirt

Branch master
Broken in: v0.2.1
Broken in: v0.2.2
Broken in: v0.2.3
Broken in: v0.3.0
Broken in: v0.3.1
Broken in: v0.3.2
Broken in: v0.3.3
Broken in: v0.4.1
Broken in: v0.4.2
Broken in: v0.4.4
Broken in: v0.4.6
Broken in: v0.5.0
Broken in: v0.5.1
Fixed in: v0.6.0
Broken by: 57a18198814f80b1397e1a14d33746034b9dbd5c
Broken by: 81005437f4e860d6d65243473c593e4335193b13
Broken by: cb228a0e24266f43dbab208bd38965e511f714ee
Broken by: 8354895e681e8aee9bfa0290cb98123858165b91
Broken by: 6bcf25017bc66ef866768c7a827dfe03c96638f0
Broken by: 39c9354c5ce87e1205f41af4737f970aa4f6e5dd
Fixed by: 53611889ff93c442028828c70472151a7cf1bf4d

Alternative formats: [xml] [text]