This also affects stable, bpo and wheezzy. The attached fix that I
applied to the version in experimental applies to 0.9.12 as well.
However I won't have a chance to test the wheezy version in a reasonable
setup (bridged network, lvm, kvm) for the next days/weeks so I'm not
uploading a new version for wheezy yet.
If somebody else could pick that up it'd be great. Note that this is not
remote and only affects users/processes in the kvm group.
Cheers,
-- Guido
>From 181eab16a034ee7dce50ec932d31cb051bf9dc9c Mon Sep 17 00:00:00 2001
Message-Id: <181eab16a034ee7dce50ec932d31cb051bf9dc9c.1361875378.git....@sigxcpu.org>
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org>
Date: Tue, 26 Feb 2013 06:28:30 +0100
Subject: [PATCH] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm
instances
This makes sure we don't chown files to groups possibly used
by other programs.
Closes: #701649
---
debian/README.Debian | 3 +++
debian/libvirt-bin.NEWS | 9 +++++++++
debian/libvirt-bin.postinst | 4 ++++
debian/libvirt-bin.postrm | 8 ++++++++
debian/rules | 2 +-
5 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/debian/README.Debian b/debian/README.Debian
index 6248662..de12bbb 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -56,6 +56,9 @@ Access Control
Access to the libvirt socket is controlled by membership in the "libvirt" group.
If you want to manage VMs as non root you need to add a user to that group.
+System QEMU/KVM processes are run as user and group libvirt-qemu. This can be
+adjusted via /etc/libvirt/qemu.conf.
+
QEMU/KVM: Dropping Capabilties
==============================
Network interfaces of type "ethernet" use a script like /etc/qemu-ifup to set up
diff --git a/debian/libvirt-bin.NEWS b/debian/libvirt-bin.NEWS
index ee32190..9228350 100644
--- a/debian/libvirt-bin.NEWS
+++ b/debian/libvirt-bin.NEWS
@@ -1,3 +1,12 @@
+libvirt (1.0.2-3) experimental; urgency=low
+
+ For qemu:///system KVM/QEMU processes now run as group libvirt-qemu. This
+ makes sure image files and volumes aren't accessible by users in the more
+ general and previously used kvm group. To change this behaviour adjust the
+ group option in /etc/libvirt/qemu.conf.
+
+ -- Guido Günther <a...@sigxcpu.org> Tue, 26 Feb 2013 06:30:48 +0100
+
libvirt (0.8.3-2) unstable; urgency=low
Disk format probing is disabled now by default for security reasons
diff --git a/debian/libvirt-bin.postinst b/debian/libvirt-bin.postinst
index c22dd21..53119a2 100644
--- a/debian/libvirt-bin.postinst
+++ b/debian/libvirt-bin.postinst
@@ -27,6 +27,9 @@ add_users_groups()
if ! getent group kvm >/dev/null; then
addgroup --quiet --system kvm
fi
+ if ! getent group libvirt-qemu >/dev/null; then
+ addgroup --quiet --system libvirt-qemu
+ fi
if ! getent passwd libvirt-qemu >/dev/null; then
adduser --quiet \
--system \
@@ -39,6 +42,7 @@ add_users_groups()
-gecos "Libvirt Qemu" \
libvirt-qemu
fi
+ adduser libvirt-qemu libvirt-qemu
}
diff --git a/debian/libvirt-bin.postrm b/debian/libvirt-bin.postrm
index 5f67537..77e77d6 100644
--- a/debian/libvirt-bin.postrm
+++ b/debian/libvirt-bin.postrm
@@ -25,6 +25,14 @@ case "$1" in
delgroup libvirt || true
fi
+ if getent user libvirt-qemu >/dev/null; then
+ deluser libvirt || true
+ fi
+
+ if getent group libvirt-qemu >/dev/null; then
+ delgroup libvirt || true
+ fi
+
rm -rf /var/log/libvirt
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/debian/rules b/debian/rules
index 8127900..65e35d4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -58,7 +58,7 @@ DEB_CONFIGURE_EXTRA_FLAGS := \
--disable-rpath \
$(WITH_QEMU) \
--with-qemu-user=libvirt-qemu \
- --with-qemu-group=kvm \
+ --with-qemu-group=libvirt-qemu \
$(WITH_OPENVZ) \
--with-avahi \
--with-sasl \
--
1.7.10.4
