Re: [PATCH v10] run QEMU as non-root

From: Anthony PERARD <anthony.perard@citrix.com>
To: George Dunlap <dunlapg@umich.edu>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>,
	Stefano Stabellini <sstabellini@kernel.org>
Subject: Re: [PATCH v10] run QEMU as non-root
Date: Wed, 14 Mar 2018 16:14:28 +0000	[thread overview]
Message-ID: <20180314161428.GA2330@perard> (raw)
In-Reply-To: <CAFLBxZZhNsnzePeEWBq8bwrWRv_UkdmbAnOTf491nbBqVU=f7g@mail.gmail.com>

On Wed, Mar 14, 2018 at 02:49:37PM +0000, George Dunlap wrote:
> On Thu, Nov 5, 2015 at 12:47 PM, Stefano Stabellini
> <stefano.stabellini@eu.citrix.com> wrote:
> > diff --git a/docs/misc/qemu-deprivilege.txt b/docs/misc/qemu-deprivilege.txt
> > new file mode 100644
> > index 0000000..dde74ab
> > --- /dev/null
> > +++ b/docs/misc/qemu-deprivilege.txt
> > @@ -0,0 +1,31 @@
> > +For security reasons, libxl tries to pass a non-root username to QEMU as
> > +argument. During initialization QEMU calls setuid and setgid with the
> > +user ID and the group ID of the user passed as argument.
> > +Libxl looks for the following users in this order:
> > +
> > +1) a user named "xen-qemuuser-domid$domid",
> > +Where $domid is the domid of the domain being created.
> > +This requires the reservation of 65535 uids from xen-qemuuser-domid1
> > +to xen-qemuuser-domid65535. To use this mechanism, you might want to
> > +create a large number of users at installation time. For example:
> > +
> > +for ((i=1; i<65536; i++))
> > +do
> > +    adduser --no-create-home --system xen-qemuuser-domid$i
> > +done
> 
> This fails for me after a few hundred uids:
> 
> adduser: No UID is available in the range 100-999 (FIRST_SYS_UID -
> LAST_SYS_UID).
> adduser: The user `xen-qemuuser-domid892' was not created.
> adduser: No UID is available in the range 100-999 (FIRST_SYS_UID -
> LAST_SYS_UID).
> adduser: The user `xen-qemuuser-domid893' was not created.
> adduser: No UID is available in the range 100-999 (FIRST_SYS_UID -
> LAST_SYS_UID).
> adduser: The user `xen-qemuuser-domid894' was not created.
> 
> It looks like even if --system were omitted, this would fail on a
> normal system, as the default UID range looks to be [1000,29999].
> 
> Also, on my test box a single 'adduser' takes about 1 second, meaning
> just doing up to the normal number of domains (around 32k) would take
> 9 hours or so; is that really a practical suggestion?

Using systemd, it's a bit faster:

for ((i=1; i<5000; i++)); do
  echo "u xen-qemuuser-domid$i -" >> /etc/sysusers.d/xen-qemu-depriv.conf;
done
$ time systemd-sysusers xen-qemu-depriv.conf
systemd-sysusers xen-qemu-depriv.conf  1.19s user 1.71s system 45% cpu 6.351 total

but that also fails to create user xen-qemuuser-domid940 and the
following. And uid for all new users was < 1000.

That works better if you start my little script here with:
echo "r - 2000-9000" >> /etc/sysusers.d/xen-qemu-depriv.conf
# for 5000 uid:
systemd-sysusers xen-qemu-depriv.conf  2.29s user 3.54s system 47% cpu 12.237 total

George, if you read the manual for dm_restrict, the first option
presented is to create a single userid that is the start of a range of
uid to use:

> Ideally, set aside a range of 32752 uids (from N to N+32751) and
> create a user whose name is xen-qemuuser-range-base and whose uid is N
> and whose gid is a plain unprivileged gid.  libxl will use one such
> user for each domid.

Which works fine.

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel