From 340225143c8f389cb12de610f6208fa643b31fbb Mon Sep 17 00:00:00 2001 Message-Id: <340225143c8f389cb12de610f6208fa643b31fbb.1383321465.git.jdenemar@redhat.com> From: "Daniel P. Berrange" Date: Wed, 30 Oct 2013 17:01:53 +0000 Subject: [PATCH] Only allow the UNIX transport in remote driver when setuid For https://bugzilla.redhat.com/show_bug.cgi?id=1015247 We don't know enough about quality of external libraries used for non-UNIX transports, nor do we want to spawn external commands when setuid. Restrict to the bare minimum which is UNIX transport for local usage. Users shouldn't need to be running setuid if connecting to remote hypervisors in any case. Signed-off-by: Daniel P. Berrange (cherry picked from commit e22b0232c7b94aefaef87c52c4d626fa532fcce3) Signed-off-by: Jiri Denemark --- src/libvirt.c | 6 ++++++ src/remote/remote_driver.c | 14 ++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/libvirt.c b/src/libvirt.c index 0a024a9..8a3cc42 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -1135,6 +1135,12 @@ do_open(const char *name, if (name && name[0] == '\0') name = NULL; + if (!name && virIsSUID()) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("An explicit URI must be provided when setuid")); + goto failed; + } + /* * If no URI is passed, then check for an environment string if not * available probe the compiled in drivers to find a default hypervisor diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 67daf79..b6b629c 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -488,6 +488,20 @@ doRemoteOpen(virConnectPtr conn, transport = trans_unix; } + /* + * We don't want to be executing external programs in setuid mode, + * so this rules out 'ext' and 'ssh' transports. Exclude libssh + * and tls too, since we're not confident the libraries are safe + * for setuid usage. Just allow UNIX sockets, since that does + * not require any external libraries or command execution + */ + if (virIsSUID() && + transport != trans_unix) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Only Unix socket URI transport is allowed in setuid mode")); + return VIR_DRV_OPEN_ERROR; + } + /* Local variables which we will initialize. These can * get freed in the failed: path. */ -- 1.8.4.2