Skip to content
Snippets Groups Projects
Commit 6270001c authored by Guido Günther's avatar Guido Günther
Browse files

CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm instances

This makes sure we don't chown files to groups possibly used
by other programs.

Closes: #701649
parent b1e4d651
No related branches found
No related tags found
No related merge requests found
......@@ -56,6 +56,9 @@ Access Control
Access to the libvirt socket is controlled by membership in the "libvirt" group.
If you want to manage VMs as non root you need to add a user to that group.
System QEMU/KVM processes are run as user and group libvirt-qemu. This can be
adjusted via /etc/libvirt/qemu.conf.
QEMU/KVM: Dropping Capabilties
==============================
Network interfaces of type "ethernet" use a script like /etc/qemu-ifup to set up
......
libvirt (1.0.2-3) experimental; urgency=low
For qemu:///system KVM/QEMU processes now run as group libvirt-qemu. This
makes sure image files and volumes aren't accessible by users in the more
general and previously used kvm group. To change this behaviour adjust the
group option in /etc/libvirt/qemu.conf.
-- Guido Günther <agx@sigxcpu.org> Tue, 26 Feb 2013 06:30:48 +0100
libvirt (0.8.3-2) unstable; urgency=low
Disk format probing is disabled now by default for security reasons
......
......@@ -27,6 +27,9 @@ add_users_groups()
if ! getent group kvm >/dev/null; then
addgroup --quiet --system kvm
fi
if ! getent group libvirt-qemu >/dev/null; then
addgroup --quiet --system libvirt-qemu
fi
if ! getent passwd libvirt-qemu >/dev/null; then
adduser --quiet \
--system \
......@@ -39,6 +42,7 @@ add_users_groups()
-gecos "Libvirt Qemu" \
libvirt-qemu
fi
adduser libvirt-qemu libvirt-qemu
}
......
......@@ -25,6 +25,14 @@ case "$1" in
delgroup libvirt || true
fi
if getent user libvirt-qemu >/dev/null; then
deluser libvirt || true
fi
if getent group libvirt-qemu >/dev/null; then
delgroup libvirt || true
fi
rm -rf /var/log/libvirt
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
......
......@@ -71,7 +71,7 @@ DEB_CONFIGURE_EXTRA_FLAGS := \
--disable-rpath \
$(WITH_QEMU) \
--with-qemu-user=libvirt-qemu \
--with-qemu-group=kvm \
--with-qemu-group=libvirt-qemu \
$(WITH_OPENVZ) \
--with-avahi \
--with-sasl \
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment