qemu-user has never been designed to run in suid/sgid context,
to handle a suid/sgid binary which should run with elevated
privileges. Our qemu-binfmt-conf script made it too easy to
hit this trap for the users. Remove this ability.
If an experienced user wants to set up such an environment,
there's a simpe way to modify the resulting config to include
the necessary flags, but qemu itself should not support this
mode until we can provide a minimal security guarantee/support.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
scripts/qemu-binfmt-conf.sh | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index 5fd462b1d1..c4a1fe7685 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -183,7 +183,7 @@ qemu_normalize() {
usage() {
cat <<EOF
Usage: qemu-binfmt-conf.sh [--qemu-path PATH][--debian][--systemd CPU]
- [--help][--credential yes|no][--exportdir PATH]
+ [--help][--exportdir PATH]
[--persistent yes|no][--qemu-suffix SUFFIX]
[--preserve-argv0 yes|no]
@@ -200,8 +200,6 @@ Usage: qemu-binfmt-conf.sh [--qemu-path PATH][--debian][--systemd CPU]
file for all known cpus
--exportdir: define where to write configuration files
(default: $SYSTEMDDIR or $DEBIANDIR)
- --credential: if yes, credential and security tokens are
- calculated according to the binary to interpret
--persistent: if yes, the interpreter is loaded when binfmt is
configured and remains in memory. All future uses
are cloned from the open file.
@@ -275,9 +273,6 @@ qemu_check_systemd() {
qemu_generate_register() {
flags=""
- if [ "$CREDENTIAL" = "yes" ] ; then
- flags="OC"
- fi
if [ "$PERSISTENT" = "yes" ] ; then
flags="${flags}F"
fi
@@ -304,7 +299,7 @@ package qemu-$cpu
interpreter $qemu
magic $magic
mask $mask
-credentials $CREDENTIAL
+credentials no
preserve $PRESERVE_ARG0
fix_binary $PERSISTENT
EOF
@@ -359,13 +354,12 @@ SYSTEMDDIR="/etc/binfmt.d"
DEBIANDIR="/usr/share/binfmts"
QEMU_PATH=/usr/local/bin
-CREDENTIAL=no
PERSISTENT=no
PRESERVE_ARG0=no
QEMU_SUFFIX=""
IGNORE_FAMILY=no
-_longopts="debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,credential:,\
+_longopts="debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,\
persistent:,preserve-argv0:,ignore-family:"
options=$(getopt -o ds:Q:S:e:hc:p:g:F:i: -l ${_longopts} -- "$@")
eval set -- "$options"
@@ -415,10 +409,6 @@ while true ; do
usage
exit 1
;;
- -c|--credential)
- shift
- CREDENTIAL="$1"
- ;;
-p|--persistent)
shift
PERSISTENT="$1"
--
2.47.2On 24.08.2025 13:24, Michael Tokarev wrote:
> qemu-user has never been designed to run in suid/sgid context,
> to handle a suid/sgid binary which should run with elevated
> privileges. Our qemu-binfmt-conf script made it too easy to
> hit this trap for the users. Remove this ability.
>
> If an experienced user wants to set up such an environment,
> there's a simpe way to modify the resulting config to include
> the necessary flags, but qemu itself should not support this
> mode until we can provide a minimal security guarantee/support.
Any opinions please?
What I'm thinking - maybe, when this option is given, print an
error message saying it is not supposed to be used like this,
with an explanation "why", instead of complaining about an
invalid option?
Thanks,
/mjt
> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
> ---
> scripts/qemu-binfmt-conf.sh | 16 +++-------------
> 1 file changed, 3 insertions(+), 13 deletions(-)
>
> diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
> index 5fd462b1d1..c4a1fe7685 100755
> --- a/scripts/qemu-binfmt-conf.sh
> +++ b/scripts/qemu-binfmt-conf.sh
> @@ -183,7 +183,7 @@ qemu_normalize() {
> usage() {
> cat <<EOF
> Usage: qemu-binfmt-conf.sh [--qemu-path PATH][--debian][--systemd CPU]
> - [--help][--credential yes|no][--exportdir PATH]
> + [--help][--exportdir PATH]
> [--persistent yes|no][--qemu-suffix SUFFIX]
> [--preserve-argv0 yes|no]
>
> @@ -200,8 +200,6 @@ Usage: qemu-binfmt-conf.sh [--qemu-path PATH][--debian][--systemd CPU]
> file for all known cpus
> --exportdir: define where to write configuration files
> (default: $SYSTEMDDIR or $DEBIANDIR)
> - --credential: if yes, credential and security tokens are
> - calculated according to the binary to interpret
> --persistent: if yes, the interpreter is loaded when binfmt is
> configured and remains in memory. All future uses
> are cloned from the open file.
> @@ -275,9 +273,6 @@ qemu_check_systemd() {
>
> qemu_generate_register() {
> flags=""
> - if [ "$CREDENTIAL" = "yes" ] ; then
> - flags="OC"
> - fi
> if [ "$PERSISTENT" = "yes" ] ; then
> flags="${flags}F"
> fi
> @@ -304,7 +299,7 @@ package qemu-$cpu
> interpreter $qemu
> magic $magic
> mask $mask
> -credentials $CREDENTIAL
> +credentials no
> preserve $PRESERVE_ARG0
> fix_binary $PERSISTENT
> EOF
> @@ -359,13 +354,12 @@ SYSTEMDDIR="/etc/binfmt.d"
> DEBIANDIR="/usr/share/binfmts"
>
> QEMU_PATH=/usr/local/bin
> -CREDENTIAL=no
> PERSISTENT=no
> PRESERVE_ARG0=no
> QEMU_SUFFIX=""
> IGNORE_FAMILY=no
>
> -_longopts="debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,credential:,\
> +_longopts="debian,systemd:,qemu-path:,qemu-suffix:,exportdir:,help,\
> persistent:,preserve-argv0:,ignore-family:"
> options=$(getopt -o ds:Q:S:e:hc:p:g:F:i: -l ${_longopts} -- "$@")
> eval set -- "$options"
> @@ -415,10 +409,6 @@ while true ; do
> usage
> exit 1
> ;;
> - -c|--credential)
> - shift
> - CREDENTIAL="$1"
> - ;;
> -p|--persistent)
> shift
> PERSISTENT="$1"
© 2016 - 2025 Red Hat, Inc.