|
 |
43fe83 |
From 340225143c8f389cb12de610f6208fa643b31fbb Mon Sep 17 00:00:00 2001
|
|
|
43fe83 |
Message-Id: <340225143c8f389cb12de610f6208fa643b31fbb.1383321465.git.jdenemar@redhat.com>
|
|
|
43fe83 |
From: "Daniel P. Berrange" <berrange@redhat.com>
|
|
|
43fe83 |
Date: Wed, 30 Oct 2013 17:01:53 +0000
|
|
|
43fe83 |
Subject: [PATCH] Only allow the UNIX transport in remote driver when setuid
|
|
|
43fe83 |
|
|
|
43fe83 |
For
|
|
|
43fe83 |
|
|
|
43fe83 |
https://bugzilla.redhat.com/show_bug.cgi?id=1015247
|
|
|
43fe83 |
|
|
|
43fe83 |
We don't know enough about quality of external libraries used
|
|
|
43fe83 |
for non-UNIX transports, nor do we want to spawn external
|
|
|
43fe83 |
commands when setuid. Restrict to the bare minimum which is
|
|
|
43fe83 |
UNIX transport for local usage. Users shouldn't need to be
|
|
|
43fe83 |
running setuid if connecting to remote hypervisors in any
|
|
|
43fe83 |
case.
|
|
|
43fe83 |
|
|
|
43fe83 |
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
|
|
43fe83 |
(cherry picked from commit e22b0232c7b94aefaef87c52c4d626fa532fcce3)
|
|
|
43fe83 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
43fe83 |
---
|
|
|
43fe83 |
src/libvirt.c | 6 ++++++
|
|
|
43fe83 |
src/remote/remote_driver.c | 14 ++++++++++++++
|
|
|
43fe83 |
2 files changed, 20 insertions(+)
|
|
|
43fe83 |
|
|
|
43fe83 |
diff --git a/src/libvirt.c b/src/libvirt.c
|
|
|
43fe83 |
index 0a024a9..8a3cc42 100644
|
|
|
43fe83 |
--- a/src/libvirt.c
|
|
|
43fe83 |
+++ b/src/libvirt.c
|
|
|
43fe83 |
@@ -1135,6 +1135,12 @@ do_open(const char *name,
|
|
|
43fe83 |
if (name && name[0] == '\0')
|
|
|
43fe83 |
name = NULL;
|
|
|
43fe83 |
|
|
|
43fe83 |
+ if (!name && virIsSUID()) {
|
|
|
43fe83 |
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
43fe83 |
+ _("An explicit URI must be provided when setuid"));
|
|
|
43fe83 |
+ goto failed;
|
|
|
43fe83 |
+ }
|
|
|
43fe83 |
+
|
|
|
43fe83 |
/*
|
|
|
43fe83 |
* If no URI is passed, then check for an environment string if not
|
|
|
43fe83 |
* available probe the compiled in drivers to find a default hypervisor
|
|
|
43fe83 |
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
|
|
|
43fe83 |
index 67daf79..b6b629c 100644
|
|
|
43fe83 |
--- a/src/remote/remote_driver.c
|
|
|
43fe83 |
+++ b/src/remote/remote_driver.c
|
|
|
43fe83 |
@@ -488,6 +488,20 @@ doRemoteOpen(virConnectPtr conn,
|
|
|
43fe83 |
transport = trans_unix;
|
|
|
43fe83 |
}
|
|
|
43fe83 |
|
|
|
43fe83 |
+ /*
|
|
|
43fe83 |
+ * We don't want to be executing external programs in setuid mode,
|
|
|
43fe83 |
+ * so this rules out 'ext' and 'ssh' transports. Exclude libssh
|
|
|
43fe83 |
+ * and tls too, since we're not confident the libraries are safe
|
|
|
43fe83 |
+ * for setuid usage. Just allow UNIX sockets, since that does
|
|
|
43fe83 |
+ * not require any external libraries or command execution
|
|
|
43fe83 |
+ */
|
|
|
43fe83 |
+ if (virIsSUID() &&
|
|
|
43fe83 |
+ transport != trans_unix) {
|
|
|
43fe83 |
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
43fe83 |
+ _("Only Unix socket URI transport is allowed in setuid mode"));
|
|
|
43fe83 |
+ return VIR_DRV_OPEN_ERROR;
|
|
|
43fe83 |
+ }
|
|
|
43fe83 |
+
|
|
|
43fe83 |
/* Local variables which we will initialize. These can
|
|
|
43fe83 |
* get freed in the failed: path.
|
|
|
43fe83 |
*/
|
|
|
43fe83 |
--
|
|
|
43fe83 |
1.8.4.2
|
|
|
43fe83 |
|