| Reported on: | 20190604 |
|---|---|
| Published on: | 20190620 |
| Fixed on: | 20190620 |
| Reported by: | Matthias Gerstner |
|---|---|
| Patched by: | Ján Tomko |
The virDomainManagedSaveDefineXML API redefines the manage-saved domain XML without checking for a read-only connection. This allows unprivileged users to check for existence of arbitrary files or executing arbitrary binaries with elevated privileges.
The default libvirt configuration allows all local user accounts read-only access to the libvirtd daemon. Any local user can provide an arbitrary emulator, executing arbitrary binaries as the configured QEMU user. Since v5.1.0, the emulator binary is run with CAP_DAC_OVERRIDE, essentially having root privileges.
Edit the /etc/libvirt/libvirtd.conf configuration file, to set the 'unix_sock_ro_perms = "0700"' to prevent local users from connecting to libvirt. Alternatively setup a policy kit rule to prevent them access without first authenticating as root.
| Branch | master |
|---|---|
| Broken in: | v3.7.0 |
| Broken in: | v3.8.0 |
| Broken in: | v3.9.0 |
| Broken in: | v3.10.0 |
| Broken in: | v4.0.0 |
| Broken in: | v4.1.0 |
| Broken in: | v4.2.0 |
| Broken in: | v4.3.0 |
| Broken in: | v4.4.0 |
| Broken in: | v4.5.0 |
| Broken in: | v4.6.0 |
| Broken in: | v4.7.0 |
| Broken in: | v4.8.0 |
| Broken in: | v4.9.0 |
| Broken in: | v4.10.0 |
| Broken in: | v5.0.0 |
| Broken in: | v5.1.0 |
| Broken in: | v5.2.0 |
| Broken in: | v5.3.0 |
| Broken in: | v5.4.0 |
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | db0b78457f183e4c7ac45bc94de86044a1e2056a |
| Branch | v3.7-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | e7d9c8899fc7751201b46b6cf6bff4eadb38af2f |
| Branch | v4.1-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | d9a1f3debad411756f53ab8ab81e44ab0bb50e0a |
| Branch | v4.2-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 1813138f6b00058285e325191d50c41ace39e5b3 |
| Branch | v4.3-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 9816854ac4e5ccd87cf82320b4550671e75f6509 |
| Branch | v4.4-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | e777cce08e069e29deedec540d463ed70c29e92c |
| Branch | v4.5-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | d025c10d54975fe98927be85f33146e780c28d52 |
| Branch | v4.6-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 00e673c93fc3d0cfed274cc7a1ec2c52260c8262 |
| Branch | v4.7-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 6da721ea37bf3624ff9922637cfa657d2dcb20f9 |
| Branch | v4.8-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 6dc29a174ae204b1ae13fed0f533818ad6d24b9f |
| Branch | v4.9-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1 |
| Branch | v4.10-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 3f744efec31959f7643849f6a3708198bcdfc6ae |
| Branch | v5.0-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | a064d492272bcb0029b140ec4e18fce1ac0ec5b2 |
| Branch | v5.1-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 58c7c3fc4a0f15544c2054ed4682ff5d740681ab |
| Branch | v5.1.0-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Branch | v5.2-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | 96bca3af450cc62183b91a361f7024f93126bc49 |
| Branch | v5.3-maint |
|---|---|
| Broken by: | 1558f2584fd9b32c7903238bff2c9f12ba406ba6 |
| Fixed by: | f4dabe99f7f46520f2967f3e068fcbeb54e617df |