LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   libvirt + lxc = root shell (https://www.linuxquestions.org/questions/slackware-14/libvirt-lxc-%3D-root-shell-4175598403/)

atelszewski 01-27-2017 06:05 PM
libvirt + lxc = root shell
 
Hi,

I have to really start looking into hardening my libvirt install.

Out of curiosity (which is bad thing on its own ;-)) I created LXC connection using virt-manager.
Then I chose to run in application sandbox mode, using /bin/bash.
Then I started the container.
Then I could happily browse my filesystem as root.
All of this from my regular user account.

Everyday something new ;-)

--
Best regards,
Andrzej Telszewski

ponce 01-28-2017 01:11 AM
Hi Andrzej,

you are connecting via virt-manager to libvirtd, a service that has already root privileges, and to which connection is allowed to users belonging to the "users" group just for simplicity of use: maybe you missed it but this is noted also in libvirt's README.

if you prefer you can create another dedicated non-privileged group and rebuild (can be easier that editing config files) libvirt (and maybe qemu too) passing that parameter noted in the README, but that still won't stop the user that you will put in that group to have the possibility to obtain root shells on the host in a cgroup and a namespace managed by lxc as it's the intended behaviour: that or you administer your libvirt only as root.

atelszewski 01-28-2017 05:40 AM
Hi,

I'm aware of the problem, I just need more motivation to work it out ;-)
Sometime ago I was reading about permissions in the libvirt world and it offers some more interesting possibilities.

I'm already using separate group for libvirt and QEMU for some time.
I'm also running QEMU in qemu://session mode rather than in qemu://system one.

Actually, I need the system libvirtd daemon to provide networking only.
Thanks to session mode, QEMU is run more like VirtualBox, i.e. everything is located in regular user home directory and all the processes (including libvirtd) are run as regular user. I believe that is everything many of us need.

Quote:
Originally Posted by ponce
for simplicity of use
If I work out some solution, I will be pushing for changing the defaults.
Recently I read about MongoDB defaults.
They allowed for ease of use and for thousand of databases to be stolen.

I'm not writing to blame anybody, but once I find a solution, I will ;-)

--
Best regards,
Andrzej Telszewski


All times are GMT -5. The time now is 03:22 PM.