Libvirt Security Notice: LSN-2011-0001

Missing checks for read only connections on many APIs


Reported on: 20110303
Published on: 20110303
Fixed on: 20110314


Reported by: Jason Chen
Patched by: Guido G√ľnther

See also


The APIs virConnectDomainXMLToNative, virNodeDeviceDettach, virNodeDeviceReAttach, virNodeDeviceReset, virDomainRevertToSnapshot, virDomainSnapshotDelete did not check the read-only flag of the connection. This allow unprivileged users to invoke APIs that they should not have access to.


The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user is able to detach arbitrary PCI host devices from their kernel drivers via the virNodeDeviceReAttach API. They can cause a kernel crash by resetting PCI devices via the virNodeDeviceReset APIs. They can manipulate, corrupt or destroy the state of guest machine snapshots via virDomainRevertToSnapshot or virDomainSnapshotDelete. They can run arbitrary commands as root by specifying a custom emulator in the XML passed to virConnectdomainXMLToNative


Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.

Affected product: libvirt

Branch master
Broken in: v0.6.1
Broken in: v0.6.2
Broken in: v0.6.3
Broken in: v0.6.4
Broken in: v0.6.5
Broken in: v0.7.0
Broken in: v0.7.1
Broken in: v0.7.2
Broken in: v0.7.3
Broken in: v0.7.4
Broken in: v0.7.5
Broken in: v0.7.6
Broken in: v0.7.7
Broken in: v0.8.0
Broken in: v0.8.1
Broken in: v0.8.2
Broken in: v0.8.3
Broken in: v0.8.4
Broken in: v0.8.5
Broken in: v0.8.6
Broken in: v0.8.8
Fixed in: v0.9.0
Broken by: 737af2ea04aa1eb954635bd90d0dbcffdd7ff734
Broken by: 4d5383fd36c64a83520c9a6e09c946c4ba86cc29
Broken by: 2f992d4be4c6157feec4f88ac586f2c50a8fd466
Fixed by: 71753cb7f7a16ff800381c0b5ee4e99eea92fed3

Alternative formats: [xml] [text]