| Reported on: | 20110303 |
|---|---|
| Published on: | 20110303 |
| Fixed on: | 20110314 |
| Reported by: | Jason Chen |
|---|---|
| Patched by: | Guido Günther |
The APIs virConnectDomainXMLToNative, virNodeDeviceDettach, virNodeDeviceReAttach, virNodeDeviceReset, virDomainRevertToSnapshot, virDomainSnapshotDelete did not check the read-only flag of the connection. This allowed unprivileged users to invoke APIs that they should not have access to.
The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user is able to detach arbitrary PCI host devices from their kernel drivers via the virNodeDeviceReAttach API. They can cause a kernel crash by resetting PCI devices via the virNodeDeviceReset APIs. They can manipulate, corrupt or destroy the state of guest machine snapshots via virDomainRevertToSnapshot or virDomainSnapshotDelete. They can run arbitrary commands as root by specifying a custom emulator in the XML passed to virConnectdomainXMLToNative
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.