From: Avi Kivity <avi@redhat.com>
To: Henry Cejtin <henry.cejtin@gmail.com>
Cc: kvm@vger.kernel.org
Subject: Re: /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
Date: Mon, 27 Aug 2012 13:17:26 -0700 [thread overview]
Message-ID: <503BD5D6.1040904@redhat.com> (raw)
In-Reply-To: <CAPKXxCp3DebWNWAMuzfnSUn2e4=o5165JimFY=+sEby43ZJGxw@mail.gmail.com>
On 08/27/2012 01:11 PM, Henry Cejtin wrote:
> I'm completely confused about access to /dev/kvm. In particular, it
> looks like it is too open to access, but in a way that I don't
> understand.
>
> On my machine, /dev/kvm is owned by root.root and mode 660. Here is the
> output of ls:
>
> % ls -l /dev/kvm
> crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm
>
> Despite that, when a process is uid 1000 and group id 1000, and not in
> any other groups, I can open /dev/kvm.
>
> I.e., here are the relevant lines from /proc/<pid>/status:
>
> Uid: 1000 1000 1000 1000
> Gid: 1000 1000 1000 1000
> Groups: 1000
>
> Note, just to show this isn't some weirdness in /etc/passwd or
> /etc/groups, here is the output of stat on /dev/kvm:
>
> File: `/dev/kvm'
> Size: 0 Blocks: 0 IO Block: 4096
> character special file
> Device: 5h/5d Inode: 2597329 Links: 1 Device type: a,e8
> Access: (0660/crw-rw----) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2012-08-24 15:03:33.616998585 -0500
> Modify: 2012-08-24 15:03:33.616998585 -0500
> Change: 2012-08-24 15:03:33.616998585 -0500
>
> Please note, I don't understand how this could really be. Regardless of
> what the /dev/kvm driver does, I don't get how I can get to open it if
> the file which `is' the device doesn't have the correct permissions.
> The driver can make access more restrictive than the file permissions,
> but not less restrictive, or so I thought.
>
> Also, if I try opening /dev/kvm as uid 1001 and group id 1000, again not
> in any other groups, it fails.
>
> I don't understand how this could be. Also, it means that uid 1000/gid
> 1000 can run virtual processes. I want to be able to limit that, and I
> would have thought that /dev/kvm having mode 660 and being owned by
> root.root would have done it.
>
> If it is any help, I am running a stock Debian Squeeze. The kernel is
> 2.6.32-5-amd64.
>
> Any help or pointers explaining how /dev/kvm can be opened by uid
> 1000/gid 1000 would be greatly appreciated. Also any explanation about
> why uid 1000 is different than 1001.
>
>
Strange. Try changing the permissions to 600 or 060 to see if it's the
user or group that allows you access.
--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.
next prev parent reply other threads:[~2012-08-27 20:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-27 20:11 /dev/kvm not sufficiently restricted, and in ways I didn't think were possible Henry Cejtin
2012-08-27 20:17 ` Avi Kivity [this message]
2012-08-28 7:40 ` Michael Tokarev
-- strict thread matches above, loose matches on Subject: below --
2012-08-27 18:07 Neal Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=503BD5D6.1040904@redhat.com \
--to=avi@redhat.com \
--cc=henry.cejtin@gmail.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.