From nobody Wed May 1 15:10:39 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1509113934240186.36876977061956; Fri, 27 Oct 2017 07:18:54 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6036980469; Fri, 27 Oct 2017 14:18:52 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1F66C60602; Fri, 27 Oct 2017 14:18:52 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 37D7A1805960; Fri, 27 Oct 2017 14:18:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v9REIn90008350 for ; Fri, 27 Oct 2017 10:18:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id EFB995D752; Fri, 27 Oct 2017 14:18:49 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-204-199.brq.redhat.com [10.40.204.199]) by smtp.corp.redhat.com (Postfix) with ESMTP id 262E75D75F; Fri, 27 Oct 2017 14:18:45 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 6036980469 Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: "Daniel P. Berrange" To: libvir-list@redhat.com Date: Fri, 27 Oct 2017 15:18:42 +0100 Message-Id: <20171027141842.7931-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH dbus] Run system instance as an unprivileged user account X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Fri, 27 Oct 2017 14:18:53 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" There is no reason for the libvirt-dbus daemon to require root privileges. = All it actually needs is ability to connect to libvirtd, which can be achieved = by dropping in a polkit configuration file Now a libvirt connection to the system bus gives you privileges equivalent = to root, so this doesn't really improve security on its own. It relies on there being a dbus policy that prevents users from issuing elevated APIs. For example, a DBus policy could allow non-root users to list VMs on the system bus and get their status (aka virsh list equiv). In this case, the security isolation does give some benefit. Security can be further improved if the admin uses the libvirt polkit file = to restrict what libvirt-dbus is permitted to do. Signed-off-by: Daniel P. Berrange --- configure.ac | 5 +++++ data/Makefile.am | 33 +++++++++++++++++++++++++++------ data/system/libvirt-dbus.rules.in | 8 ++++++++ data/system/org.libvirt.conf | 2 +- data/system/org.libvirt.conf.in | 15 +++++++++++++++ data/system/org.libvirt.service.in | 2 +- libvirt-dbus.spec.in | 9 +++++++++ src/main.c | 8 ++++++++ 8 files changed, 74 insertions(+), 8 deletions(-) create mode 100644 data/system/libvirt-dbus.rules.in create mode 100644 data/system/org.libvirt.conf.in diff --git a/configure.ac b/configure.ac index 228ea11..aef3d37 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,11 @@ else fi AC_SUBST(DBUS_SYSTEM_POLICIES_DIR) =20 +LIBVIRT_ARG_WITH([SYSTEM_USER], [username to run system instance as], + ['libvirtdbus']) +SYSTEM_USER=3D$with_system_user +AC_SUBST([SYSTEM_USER]) + AC_OUTPUT(Makefile data/Makefile src/Makefile diff --git a/data/Makefile.am b/data/Makefile.am index 58e855f..3f27b02 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -9,18 +9,28 @@ system_servicedir =3D $(DBUS_SYSTEM_SERVICES_DIR) system_service_DATA =3D $(system_service_in_files:.service.in=3D.service) =20 system_policy_files =3D \ - system/org.libvirt.conf + system/org.libvirt.conf.in system_policydir =3D $(DBUS_SYSTEM_POLICIES_DIR) -system_policy_DATA =3D $(system_policy_files) +system_policy_DATA =3D $(system_policy_files:.conf.in=3D.conf) + +polkit_files =3D \ + system/libvirt-dbus.rules.in +polkit_policydir =3D $(sysconfdir)/polkit-1/rules.d +polkit_policy_DATA =3D $(polkit_files:.rules.in=3D.rules) =20 EXTRA_DIST =3D \ $(service_in_files) \ $(system_service_in_files) \ - $(system_policy_files) + $(system_policy_files) \ + $(polkit_files) \ + $(NULL) =20 CLEANFILES =3D \ $(service_DATA) \ - $(system_service_DATA) + $(system_service_DATA) \ + $(system_policy_DATA) \ + $(polkit_DATA) \ + $(NULL) =20 session/org.libvirt.service: session/org.libvirt.service.in $(AM_V_GEN)$(MKDIR_P) session && \ @@ -29,5 +39,16 @@ session/org.libvirt.service: session/org.libvirt.service= .in =20 system/org.libvirt.service: system/org.libvirt.service.in $(AM_V_GEN)$(MKDIR_P) system && \ - sed -e 's|[@]bindir[@]|$(bindir)|g' < $< > $@-t && \ - mv $@-t $@ + sed -e 's|[@]bindir[@]|$(bindir)|g' \ + -e 's|[@]SYSTEM_USER[@]|$(SYSTEM_USER)|' \ + < $< > $@-t && mv $@-t $@ + +system/org.libvirt.conf: system/org.libvirt.conf.in + $(AM_V_GEN)$(MKDIR_P) system && \ + sed -e 's|[@]SYSTEM_USER[@]|$(SYSTEM_USER)|' \ + < $< > $@-t && mv $@-t $@ + +system/libvirt-dbus.rules: system/libvirt-dbus.rules.in + $(AM_V_GEN)$(MKDIR_P) system && \ + sed -e 's|[@]SYSTEM_USER[@]|$(SYSTEM_USER)|' \ + < $< > $@-t && mv $@-t $@ diff --git a/data/system/libvirt-dbus.rules.in b/data/system/libvirt-dbus.r= ules.in new file mode 100644 index 0000000..4eb4ee1 --- /dev/null +++ b/data/system/libvirt-dbus.rules.in @@ -0,0 +1,8 @@ +// Allow libvirt-dbus running in dedicated account to use libvirt + +polkit.addRule(function(action, subject) { + if (action.id =3D=3D "org.libvirt.unix.manage" && + subject.user =3D=3D "@SYSTEM_USER@") { + return polkit.Result.YES; + } +}); diff --git a/data/system/org.libvirt.conf b/data/system/org.libvirt.conf index 5cbc732..2b11717 100644 --- a/data/system/org.libvirt.conf +++ b/data/system/org.libvirt.conf @@ -4,7 +4,7 @@ =20 =20 - + diff --git a/data/system/org.libvirt.conf.in b/data/system/org.libvirt.conf= .in new file mode 100644 index 0000000..fe61b70 --- /dev/null +++ b/data/system/org.libvirt.conf.in @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + diff --git a/data/system/org.libvirt.service.in b/data/system/org.libvirt.s= ervice.in index 08d32a2..0d3abdd 100644 --- a/data/system/org.libvirt.service.in +++ b/data/system/org.libvirt.service.in @@ -1,4 +1,4 @@ [D-BUS Service] Name=3Dorg.libvirt Exec=3D@bindir@/libvirt-dbus --system -User=3Droot +User=3D@SYSTEM_USER@ diff --git a/libvirt-dbus.spec.in b/libvirt-dbus.spec.in index 5be4c22..572300f 100644 --- a/libvirt-dbus.spec.in +++ b/libvirt-dbus.spec.in @@ -19,6 +19,7 @@ BuildRequires: systemd-devel >=3D %{systemd_version} Requires: libvirt-libs >=3D %{libvirt_version} Requires: systemd-libs >=3D %{systemd_version} =20 +Requires(pre): shadow-utils =20 %description This package provides integration between libvirt and the DBus @@ -37,9 +38,17 @@ rm -rf $RPM_BUILD_ROOT %clean rm -rf $RPM_BUILD_ROOT =20 +%pre +getent group libvirtdbus >/dev/null || groupadd -r libvirtdbus +getent passwd libvirtdbus >/dev/null || \ + useradd -r -g libvirtdbus -d / -s /sbin/nologin \ + -c "Libvirt DBus bridge" libvirtdbus +exit 0 + %files %defattr(-,root,root,-) %doc README COPYING AUTHORS NEWS +%{_sysconfdir}/polkit-1/rules.d/libvirt-dbus.rules %{_bindir}/libvirt-dbus %{_datadir}/dbus-1/services/org.libvirt.service %{_datadir}/dbus-1/system-services/org.libvirt.service diff --git a/src/main.c b/src/main.c index a6a0212..225fb46 100644 --- a/src/main.c +++ b/src/main.c @@ -143,6 +143,14 @@ main(int argc, char *argv[]) } } =20 + if (uri =3D=3D NULL) { + if (system_bus) { + uri =3D "qemu:///system"; + } else { + uri =3D "qemu:///session"; + } + } + sigemptyset(&mask); sigaddset(&mask, SIGTERM); sigaddset(&mask, SIGINT); --=20 2.13.6 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list