m4/virt-driver-qemu.m4 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Our current defaults are root:wheel on FreeBSD and macOS, root:root
everywhere else.
Looking at what downstream distributions actually do, we can see that
these defaults are overriden the vast majority of the time, with a
number of variations showing up in the wild:
* qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL
and... As it turns out, our very own spec file :)
* libvirt-qemu:libvirt-qemu -> Used by Debian.
* libvirt-qemu:kvm -> Used by Ubuntu.
* nobody:nobody -> Used by Arch Linux.
Based on the above, we can conclude that qemu:qemu are the preferred
credentials to be used when spawning a QEMU process, while our
current defaults get very little love.
Changing our defaults aligns with what most downstreams are actually
doing, promotes running QEMU under a non-root user - which is a very
good idea anyway - and shields random people building libvirt from
source from unwittingly running their guests as root.
Note that there are a very small number of downstreams that don't
override our defaults: Alpine Linux, FreeBSD and macOS. Of those,
only Alpine Linux is affected by this change; all three should
arguably have been setting --with-qemu-user and --with-qemu-group
explicitly regardless of this change.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
Proof that I'm not making any of this up ;)
* Alpine Linux
https://github.com/alpinelinux/aports/blob/master/main/libvirt/APKBUILD
* Arch Linux
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libvirt-git#n113
* CentOS
https://git.centos.org/blob/rpms!libvirt.git/8d86411e5109d791edf49c7f43c08a06b80896af/SPECS!libvirt.spec#L226
* Debian
https://salsa.debian.org/libvirt-team/libvirt/blob/debian/sid/debian/rules#L94-95
* Fedora
https://src.fedoraproject.org/rpms/libvirt/blob/f29/f/libvirt.spec#_204
* FreeBSD
https://github.com/freebsd/freebsd-ports/blob/master/devel/libvirt/Makefile
* Gentoo
https://github.com/gentoo/gentoo/blob/master/app-emulation/libvirt/libvirt-5.1.0.ebuild#L296-L297
* macOS (Homebrew)
https://github.com/Homebrew/homebrew-core/blob/master/Formula/libvirt.rb
* OpenSUSE
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.0:Update/libvirt/libvirt.spec?expand=1
* Ubuntu
https://git.launchpad.net/ubuntu/+source/libvirt/tree/debian/rules?h=ubuntu/disco#n99
* Upstream
https://libvirt.org/git/?p=libvirt.git;a=blob;f=libvirt.spec.in;h=b7a35a0fb14f3360eb795c4ec9b0e46171d2e4ec;hb=HEAD#l196
m4/virt-driver-qemu.m4 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/m4/virt-driver-qemu.m4 b/m4/virt-driver-qemu.m4
index cb05c34265..2a1b86e891 100644
--- a/m4/virt-driver-qemu.m4
+++ b/m4/virt-driver-qemu.m4
@@ -44,8 +44,8 @@ AC_DEFUN([LIBVIRT_DRIVER_CHECK_QEMU], [
default_qemu_user=root
default_qemu_group=wheel
else
- default_qemu_user=root
- default_qemu_group=root
+ default_qemu_user=qemu
+ default_qemu_group=qemu
fi
if test "x$with_qemu_user" = "xplatform dependent" ; then
--
2.20.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote: > Our current defaults are root:wheel on FreeBSD and macOS, root:root > everywhere else. > > Looking at what downstream distributions actually do, we can see that > these defaults are overriden the vast majority of the time, with a > number of variations showing up in the wild: > > * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL > and... As it turns out, our very own spec file :) > > * libvirt-qemu:libvirt-qemu -> Used by Debian. > > * libvirt-qemu:kvm -> Used by Ubuntu. > > * nobody:nobody -> Used by Arch Linux. > > Based on the above, we can conclude that qemu:qemu are the preferred > credentials to be used when spawning a QEMU process, while our > current defaults get very little love. > > Changing our defaults aligns with what most downstreams are actually > doing, promotes running QEMU under a non-root user - which is a very > good idea anyway - and shields random people building libvirt from > source from unwittingly running their guests as root. While I understand the motivation, this impl is problematic because it will guarantee that someone building & installing libvirt from source on Debian, Ubuntu and Arch will have a non-functional QEMU driver as it will try to use a "qemu:qemu" user/group which does not exist on those distros. If we want to change this, we must ensure that we honour the distro specific user/group names you show above, and fallback to root/root for distros we don't know about. > > Note that there are a very small number of downstreams that don't > override our defaults: Alpine Linux, FreeBSD and macOS. Of those, > only Alpine Linux is affected by this change; all three should > arguably have been setting --with-qemu-user and --with-qemu-group > explicitly regardless of this change. > > Signed-off-by: Andrea Bolognani <abologna@redhat.com> > --- > > Proof that I'm not making any of this up ;) > > * Alpine Linux > https://github.com/alpinelinux/aports/blob/master/main/libvirt/APKBUILD > > * Arch Linux > https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=libvirt-git#n113 > > * CentOS > https://git.centos.org/blob/rpms!libvirt.git/8d86411e5109d791edf49c7f43c08a06b80896af/SPECS!libvirt.spec#L226 > > * Debian > https://salsa.debian.org/libvirt-team/libvirt/blob/debian/sid/debian/rules#L94-95 > > * Fedora > https://src.fedoraproject.org/rpms/libvirt/blob/f29/f/libvirt.spec#_204 > > * FreeBSD > https://github.com/freebsd/freebsd-ports/blob/master/devel/libvirt/Makefile > > * Gentoo > https://github.com/gentoo/gentoo/blob/master/app-emulation/libvirt/libvirt-5.1.0.ebuild#L296-L297 > > * macOS (Homebrew) > https://github.com/Homebrew/homebrew-core/blob/master/Formula/libvirt.rb > > * OpenSUSE > https://build.opensuse.org/package/view_file/openSUSE:Leap:15.0:Update/libvirt/libvirt.spec?expand=1 > > * Ubuntu > https://git.launchpad.net/ubuntu/+source/libvirt/tree/debian/rules?h=ubuntu/disco#n99 > > * Upstream > https://libvirt.org/git/?p=libvirt.git;a=blob;f=libvirt.spec.in;h=b7a35a0fb14f3360eb795c4ec9b0e46171d2e4ec;hb=HEAD#l196 > > m4/virt-driver-qemu.m4 | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/m4/virt-driver-qemu.m4 b/m4/virt-driver-qemu.m4 > index cb05c34265..2a1b86e891 100644 > --- a/m4/virt-driver-qemu.m4 > +++ b/m4/virt-driver-qemu.m4 > @@ -44,8 +44,8 @@ AC_DEFUN([LIBVIRT_DRIVER_CHECK_QEMU], [ > default_qemu_user=root > default_qemu_group=wheel > else > - default_qemu_user=root > - default_qemu_group=root > + default_qemu_user=qemu > + default_qemu_group=qemu This would need to be much more clever Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Mar 26, 2019 at 01:20:46PM +0000, Daniel P. Berrangé wrote: > On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote: > > Our current defaults are root:wheel on FreeBSD and macOS, root:root > > everywhere else. > > > > Looking at what downstream distributions actually do, we can see that > > these defaults are overriden the vast majority of the time, with a > > number of variations showing up in the wild: > > > > * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL > > and... As it turns out, our very own spec file :) > > > > * libvirt-qemu:libvirt-qemu -> Used by Debian. > > > > * libvirt-qemu:kvm -> Used by Ubuntu. > > > > * nobody:nobody -> Used by Arch Linux. > > > > Based on the above, we can conclude that qemu:qemu are the preferred > > credentials to be used when spawning a QEMU process, while our > > current defaults get very little love. > > > > Changing our defaults aligns with what most downstreams are actually > > doing, promotes running QEMU under a non-root user - which is a very > > good idea anyway - and shields random people building libvirt from > > source from unwittingly running their guests as root. > > While I understand the motivation, this impl is problematic because > it will guarantee that someone building & installing libvirt from > source on Debian, Ubuntu and Arch will have a non-functional QEMU > driver as it will try to use a "qemu:qemu" user/group which does > not exist on those distros. > > If we want to change this, we must ensure that we honour the distro > specific user/group names you show above, and fallback to root/root > for distros we don't know about. Or possibly we can fallback to nobody or similar that is used by every distro. That way we would not use root:root for unknown distros as well. Pavel -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Mar 26, 2019 at 02:30:00PM +0100, Pavel Hrdina wrote: > On Tue, Mar 26, 2019 at 01:20:46PM +0000, Daniel P. Berrangé wrote: > > On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote: > > > Our current defaults are root:wheel on FreeBSD and macOS, root:root > > > everywhere else. > > > > > > Looking at what downstream distributions actually do, we can see that > > > these defaults are overriden the vast majority of the time, with a > > > number of variations showing up in the wild: > > > > > > * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL > > > and... As it turns out, our very own spec file :) > > > > > > * libvirt-qemu:libvirt-qemu -> Used by Debian. > > > > > > * libvirt-qemu:kvm -> Used by Ubuntu. > > > > > > * nobody:nobody -> Used by Arch Linux. > > > > > > Based on the above, we can conclude that qemu:qemu are the preferred > > > credentials to be used when spawning a QEMU process, while our > > > current defaults get very little love. > > > > > > Changing our defaults aligns with what most downstreams are actually > > > doing, promotes running QEMU under a non-root user - which is a very > > > good idea anyway - and shields random people building libvirt from > > > source from unwittingly running their guests as root. > > > > While I understand the motivation, this impl is problematic because > > it will guarantee that someone building & installing libvirt from > > source on Debian, Ubuntu and Arch will have a non-functional QEMU > > driver as it will try to use a "qemu:qemu" user/group which does > > not exist on those distros. > > > > If we want to change this, we must ensure that we honour the distro > > specific user/group names you show above, and fallback to root/root > > for distros we don't know about. > > Or possibly we can fallback to nobody or similar that is used by every > distro. That way we would not use root:root for unknown distros as > well. I'm not sure falling back to "nobody" is a good idea. The "nobody" account is often used for setting file permissions on things that nothing should be allowed to access. By running qemu as "nobody" we would be given access to those files which may be a security issue. Yes Arch is using this account, so they've decided it is safe for their distro, but we can't assume other distros use "nobody" the same way as Arch. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Mar 26, 2019 at 01:36:14PM +0000, Daniel P. Berrangé wrote: > On Tue, Mar 26, 2019 at 02:30:00PM +0100, Pavel Hrdina wrote: > > On Tue, Mar 26, 2019 at 01:20:46PM +0000, Daniel P. Berrangé wrote: > > > On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote: > > > > Our current defaults are root:wheel on FreeBSD and macOS, root:root > > > > everywhere else. > > > > > > > > Looking at what downstream distributions actually do, we can see that > > > > these defaults are overriden the vast majority of the time, with a > > > > number of variations showing up in the wild: > > > > > > > > * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL > > > > and... As it turns out, our very own spec file :) > > > > > > > > * libvirt-qemu:libvirt-qemu -> Used by Debian. > > > > > > > > * libvirt-qemu:kvm -> Used by Ubuntu. > > > > > > > > * nobody:nobody -> Used by Arch Linux. > > > > > > > > Based on the above, we can conclude that qemu:qemu are the preferred > > > > credentials to be used when spawning a QEMU process, while our > > > > current defaults get very little love. > > > > > > > > Changing our defaults aligns with what most downstreams are actually > > > > doing, promotes running QEMU under a non-root user - which is a very > > > > good idea anyway - and shields random people building libvirt from > > > > source from unwittingly running their guests as root. > > > > > > While I understand the motivation, this impl is problematic because > > > it will guarantee that someone building & installing libvirt from > > > source on Debian, Ubuntu and Arch will have a non-functional QEMU > > > driver as it will try to use a "qemu:qemu" user/group which does > > > not exist on those distros. > > > > > > If we want to change this, we must ensure that we honour the distro > > > specific user/group names you show above, and fallback to root/root > > > for distros we don't know about. > > > > Or possibly we can fallback to nobody or similar that is used by every > > distro. That way we would not use root:root for unknown distros as > > well. > > I'm not sure falling back to "nobody" is a good idea. The "nobody" > account is often used for setting file permissions on things that > nothing should be allowed to access. By running qemu as "nobody" > we would be given access to those files which may be a security > issue. Yes Arch is using this account, so they've decided it is > safe for their distro, but we can't assume other distros use "nobody" > the same way as Arch. Right, did not realize that. I guess that there is no other user widely used by majority of distributions so we probably need to fallback to root:root. Pavel -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Mar 26, 2019 at 04:20:02PM +0100, Pavel Hrdina wrote: > On Tue, Mar 26, 2019 at 01:36:14PM +0000, Daniel P. Berrangé wrote: > > On Tue, Mar 26, 2019 at 02:30:00PM +0100, Pavel Hrdina wrote: > > > On Tue, Mar 26, 2019 at 01:20:46PM +0000, Daniel P. Berrangé wrote: > > > > On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote: > > > > > Our current defaults are root:wheel on FreeBSD and macOS, root:root > > > > > everywhere else. > > > > > > > > > > Looking at what downstream distributions actually do, we can see that > > > > > these defaults are overriden the vast majority of the time, with a > > > > > number of variations showing up in the wild: > > > > > > > > > > * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL > > > > > and... As it turns out, our very own spec file :) > > > > > > > > > > * libvirt-qemu:libvirt-qemu -> Used by Debian. > > > > > > > > > > * libvirt-qemu:kvm -> Used by Ubuntu. > > > > > > > > > > * nobody:nobody -> Used by Arch Linux. > > > > > > > > > > Based on the above, we can conclude that qemu:qemu are the preferred > > > > > credentials to be used when spawning a QEMU process, while our > > > > > current defaults get very little love. > > > > > > > > > > Changing our defaults aligns with what most downstreams are actually > > > > > doing, promotes running QEMU under a non-root user - which is a very > > > > > good idea anyway - and shields random people building libvirt from > > > > > source from unwittingly running their guests as root. > > > > > > > > While I understand the motivation, this impl is problematic because > > > > it will guarantee that someone building & installing libvirt from > > > > source on Debian, Ubuntu and Arch will have a non-functional QEMU > > > > driver as it will try to use a "qemu:qemu" user/group which does > > > > not exist on those distros. > > > > > > > > If we want to change this, we must ensure that we honour the distro > > > > specific user/group names you show above, and fallback to root/root > > > > for distros we don't know about. > > > > > > Or possibly we can fallback to nobody or similar that is used by every > > > distro. That way we would not use root:root for unknown distros as > > > well. > > > > I'm not sure falling back to "nobody" is a good idea. The "nobody" > > account is often used for setting file permissions on things that > > nothing should be allowed to access. By running qemu as "nobody" > > we would be given access to those files which may be a security > > issue. Yes Arch is using this account, so they've decided it is > > safe for their distro, but we can't assume other distros use "nobody" > > the same way as Arch. > > Right, did not realize that. I guess that there is no other user widely > used by majority of distributions so we probably need to fallback to > root:root. Of course I should note running with root:root is guaranteed to be insecure on every distro :-) The point is more that running as "nobody" potentially gives a potentially problematic sense of security. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, 2019-03-26 at 13:20 +0000, Daniel P. Berrangé wrote: > On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote: > > Our current defaults are root:wheel on FreeBSD and macOS, root:root > > everywhere else. > > > > Looking at what downstream distributions actually do, we can see that > > these defaults are overriden the vast majority of the time, with a > > number of variations showing up in the wild: > > > > * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL > > and... As it turns out, our very own spec file :) > > > > * libvirt-qemu:libvirt-qemu -> Used by Debian. > > > > * libvirt-qemu:kvm -> Used by Ubuntu. > > > > * nobody:nobody -> Used by Arch Linux. > > > > Based on the above, we can conclude that qemu:qemu are the preferred > > credentials to be used when spawning a QEMU process, while our > > current defaults get very little love. > > > > Changing our defaults aligns with what most downstreams are actually > > doing, promotes running QEMU under a non-root user - which is a very > > good idea anyway - and shields random people building libvirt from > > source from unwittingly running their guests as root. > > While I understand the motivation, this impl is problematic because > it will guarantee that someone building & installing libvirt from > source on Debian, Ubuntu and Arch will have a non-functional QEMU > driver as it will try to use a "qemu:qemu" user/group which does > not exist on those distros. > > If we want to change this, we must ensure that we honour the distro > specific user/group names you show above, and fallback to root/root > for distros we don't know about. Solid point. I'm not sure we want to bake all those values into our build system, though... Perhaps we should go about this a different way, and print a fairly fat warning in the configure recap when no better option has been provided by the user and so we end up having to use root:root as a fallback? -- Andrea Bolognani / Red Hat / Virtualization -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, Mar 26, 2019 at 02:30:33PM +0100, Andrea Bolognani wrote: > On Tue, 2019-03-26 at 13:20 +0000, Daniel P. Berrangé wrote: > > On Tue, Mar 26, 2019 at 12:49:28PM +0100, Andrea Bolognani wrote: > > > Our current defaults are root:wheel on FreeBSD and macOS, root:root > > > everywhere else. > > > > > > Looking at what downstream distributions actually do, we can see that > > > these defaults are overriden the vast majority of the time, with a > > > number of variations showing up in the wild: > > > > > > * qemu:qemu -> Used by CentOS, Fedora, Gentoo, OpenSUSE, RHEL > > > and... As it turns out, our very own spec file :) > > > > > > * libvirt-qemu:libvirt-qemu -> Used by Debian. > > > > > > * libvirt-qemu:kvm -> Used by Ubuntu. > > > > > > * nobody:nobody -> Used by Arch Linux. > > > > > > Based on the above, we can conclude that qemu:qemu are the preferred > > > credentials to be used when spawning a QEMU process, while our > > > current defaults get very little love. > > > > > > Changing our defaults aligns with what most downstreams are actually > > > doing, promotes running QEMU under a non-root user - which is a very > > > good idea anyway - and shields random people building libvirt from > > > source from unwittingly running their guests as root. > > > > While I understand the motivation, this impl is problematic because > > it will guarantee that someone building & installing libvirt from > > source on Debian, Ubuntu and Arch will have a non-functional QEMU > > driver as it will try to use a "qemu:qemu" user/group which does > > not exist on those distros. > > > > If we want to change this, we must ensure that we honour the distro > > specific user/group names you show above, and fallback to root/root > > for distros we don't know about. > > Solid point. I'm not sure we want to bake all those values into our > build system, though... I don't see why not. It will not be the worst thing in our configure script by a long way. > Perhaps we should go about this a different way, and print a fairly > fat warning in the configure recap when no better option has been > provided by the user and so we end up having to use root:root as a > fallback? Sure, we should add a warning if using root/root Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Tue, 2019-03-26 at 13:37 +0000, Daniel P. Berrangé wrote: > On Tue, Mar 26, 2019 at 02:30:33PM +0100, Andrea Bolognani wrote: > > > If we want to change this, we must ensure that we honour the distro > > > specific user/group names you show above, and fallback to root/root > > > for distros we don't know about. > > > > Solid point. I'm not sure we want to bake all those values into our > > build system, though... > > I don't see why not. It will not be the worst thing in our configure > script by a long way. > > > Perhaps we should go about this a different way, and print a fairly > > fat warning in the configure recap when no better option has been > > provided by the user and so we end up having to use root:root as a > > fallback? > > Sure, we should add a warning if using root/root Alright, I'll give it a (second) stab. -- Andrea Bolognani / Red Hat / Virtualization -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2024 Red Hat, Inc.