From nobody Mon Nov 25 16:31:09 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) client-ip=205.139.110.61; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1596804388; cv=none; d=zohomail.com; s=zohoarc; b=iGjqXdvXr1IhMRn1KezdPG9Aos4q/Nn0CFuxw32ae0ue9lb39gjz+9nZJEJ0wJYXS8zZ++lVa4BtN+1qAFr+XHrUBNdXLZa4v5EzgX15j9iH4vYJk478hBDt9oV3zOvPEb98sCpZK9MoTBcRtvdihtGUjtZ6Cjzk47y7ZH6NVoo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1596804388; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=nHsNxakKrQPMWIsWtCEikE84BdOMOKzgBu9p3oQRGd0=; b=WZbFr/5fnzwtw4ZAvC0vkb7VW2ORx/MAvAQaJtsyFgS7C4MrhW//rZ48JUHV5C4Urgpwxa6trDfqmBIZ9G3bOVBoXWuolbdmYB6g8qZs/iVyZCZco0WGkJnEx//x8APWfzxbg6C3FfxkjsoyJWKJQltIfkrCSNo1v7GuD8m81DU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.61 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) by mx.zohomail.com with SMTPS id 15968043882611013.1757454582191; Fri, 7 Aug 2020 05:46:28 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-344-fIk1fO2SPTGDpqhE21ZXhQ-1; Fri, 07 Aug 2020 08:46:23 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A31DA800685; Fri, 7 Aug 2020 12:46:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B2BBC6111F; Fri, 7 Aug 2020 12:46:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 88E1796925; Fri, 7 Aug 2020 12:46:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 077Ck3Sl001317 for ; Fri, 7 Aug 2020 08:46:03 -0400 Received: by smtp.corp.redhat.com (Postfix) id 55EAB1002382; Fri, 7 Aug 2020 12:46:03 +0000 (UTC) Received: from domokun.gsslab.fab.redhat.com (unknown [10.33.8.110]) by smtp.corp.redhat.com (Postfix) with ESMTP id 67AC01001901; Fri, 7 Aug 2020 12:45:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1596804387; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=nHsNxakKrQPMWIsWtCEikE84BdOMOKzgBu9p3oQRGd0=; b=AMrYhP0KxTcLgNTwWw1lcErGJnTlRH/69KdFkuU1x5SgGfPyAO16Zw+r+wtu0+8ctQ7eA3 YcNNFFFGoZ32NWqoA6Zz+umWQR053DzXoeUkRX7cKqUmVO5I1+LJJNsQEvgtRQyWsK/0Vn 2zBvNGy1kR/gIVx4+qJY0tV4oJhIaL4= X-MC-Unique: fIk1fO2SPTGDpqhE21ZXhQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [PATCH] remote: use SocketMode=0600 when polkit is not compiled Date: Fri, 7 Aug 2020 13:45:52 +0100 Message-Id: <20200807124552.3233841-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Marc Deslauriers X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) The systemd .socket unit files we ship for libvirt daemons use SocketMode=3D0666 on the assumption that libvirt is built with polkit which provides access control. Some people, however, may have explicitly turned off polkit at build time and not realize that leaves them insecure unless they also change the SocketMode. This addresses that problem by making the SocketMode default to 0600 when polkit is disabled at compile time. Note we cannot automatically fix the case where the user compiles polkit, but then overrides the libvirtd.conf defaults to disable polkit. This is what lead to CVE-2020-15708 in Ubuntu 20.10. We can at least improve the inline comments in the config file to give a clearer warning though, which may have helped avoid the mistaken config. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Pavel Hrdina --- src/meson.build | 5 +++++ src/remote/libvirtd.conf.in | 38 ++++++++++++++++++++++++++--------- src/remote/libvirtd.socket.in | 2 +- 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/src/meson.build b/src/meson.build index b1c9993bc0..fd23fc55a8 100644 --- a/src/meson.build +++ b/src/meson.build @@ -776,6 +776,11 @@ if conf.has('WITH_LIBVIRTD') unit_conf.set('service', unit['service']) unit_conf.set('sockprefix', unit['sockprefix']) unit_conf.set('deps', unit.get('deps', '')) + if conf.has('WITH_POLKIT') + unit_conf.set('mode', '0666') + else + unit_conf.set('mode', '0600') + endif =20 configure_file( input: unit['service_in'], diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in index 2607fbad86..1615f33502 100644 --- a/src/remote/libvirtd.conf.in +++ b/src/remote/libvirtd.conf.in @@ -127,6 +127,8 @@ # # Authentication. # +# There are choices available: +# # - none: do not perform auth checks. If you can connect to the # socket you are allowed. This is suitable if there are # restrictions on connecting to the socket (eg, UNIX @@ -144,21 +146,39 @@ # full read/write access (aka sudo like), while anyone # is allowed read/only access. # + # Set an authentication scheme for UNIX read-only sockets +# # By default socket permissions allow anyone to connect # -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here +# If libvirt was compiled without support for 'polkit', then +# no access control checks are done, but libvirt still only +# allows execution of APIs which don't change state. +# +# If libvirt was compiled with support for 'polkit', then +# the libvirt socket will perform a check with polkit after +# connections. The default policy still allows any local +# user access. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. #auth_unix_ro =3D "none" =20 -# Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. +# Set an authentication scheme for UNIX read-write sockets. +# +# If libvirt was compiled without support for 'polkit', then +# the systemd .socket files will use SocketMode=3D0600 by default +# thus only allowing root user to connect, and 'auth_unix_rw' +# will default to 'none'. +# +# If libvirt was compiled with support for 'polkit', then +# the systemd .socket files will use SocketMode=3D0666 which +# allows any user to connect and 'auth_iunix_rw' will default +# to 'polkit'. If you disable use of 'polkit' here, then it +# is essential to change the systemd SocketMode parameter +# back to 0600, to avoid an insecure configuration. # -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -#auth_unix_rw =3D "none" +#auth_unix_rw =3D "polkit" @CUT_ENABLE_IP@ =20 # Change the authentication scheme for TCP sockets. diff --git a/src/remote/libvirtd.socket.in b/src/remote/libvirtd.socket.in index df36df2125..85b4aa800a 100644 --- a/src/remote/libvirtd.socket.in +++ b/src/remote/libvirtd.socket.in @@ -8,7 +8,7 @@ Before=3D@service@.service # when using systemd version < 227 ListenStream=3D@runstatedir@/libvirt/@sockprefix@-sock Service=3D@service@.service -SocketMode=3D0666 +SocketMode=3D@mode@ =20 [Install] WantedBy=3Dsockets.target --=20 2.25.4