* /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
@ 2012-08-27 20:11 Henry Cejtin
2012-08-27 20:17 ` Avi Kivity
2012-08-28 7:40 ` Michael Tokarev
0 siblings, 2 replies; 4+ messages in thread
From: Henry Cejtin @ 2012-08-27 20:11 UTC (permalink / raw)
To: kvm
I'm completely confused about access to /dev/kvm. In particular, it
looks like it is too open to access, but in a way that I don't
understand.
On my machine, /dev/kvm is owned by root.root and mode 660. Here is the
output of ls:
% ls -l /dev/kvm
crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm
Despite that, when a process is uid 1000 and group id 1000, and not in
any other groups, I can open /dev/kvm.
I.e., here are the relevant lines from /proc/<pid>/status:
Uid: 1000 1000 1000 1000
Gid: 1000 1000 1000 1000
Groups: 1000
Note, just to show this isn't some weirdness in /etc/passwd or
/etc/groups, here is the output of stat on /dev/kvm:
File: `/dev/kvm'
Size: 0 Blocks: 0 IO Block: 4096
character special file
Device: 5h/5d Inode: 2597329 Links: 1 Device type: a,e8
Access: (0660/crw-rw----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2012-08-24 15:03:33.616998585 -0500
Modify: 2012-08-24 15:03:33.616998585 -0500
Change: 2012-08-24 15:03:33.616998585 -0500
Please note, I don't understand how this could really be. Regardless of
what the /dev/kvm driver does, I don't get how I can get to open it if
the file which `is' the device doesn't have the correct permissions.
The driver can make access more restrictive than the file permissions,
but not less restrictive, or so I thought.
Also, if I try opening /dev/kvm as uid 1001 and group id 1000, again not
in any other groups, it fails.
I don't understand how this could be. Also, it means that uid 1000/gid
1000 can run virtual processes. I want to be able to limit that, and I
would have thought that /dev/kvm having mode 660 and being owned by
root.root would have done it.
If it is any help, I am running a stock Debian Squeeze. The kernel is
2.6.32-5-amd64.
Any help or pointers explaining how /dev/kvm can be opened by uid
1000/gid 1000 would be greatly appreciated. Also any explanation about
why uid 1000 is different than 1001.
Thanks
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
2012-08-27 20:11 /dev/kvm not sufficiently restricted, and in ways I didn't think were possible Henry Cejtin
@ 2012-08-27 20:17 ` Avi Kivity
2012-08-28 7:40 ` Michael Tokarev
1 sibling, 0 replies; 4+ messages in thread
From: Avi Kivity @ 2012-08-27 20:17 UTC (permalink / raw)
To: Henry Cejtin; +Cc: kvm
On 08/27/2012 01:11 PM, Henry Cejtin wrote:
> I'm completely confused about access to /dev/kvm. In particular, it
> looks like it is too open to access, but in a way that I don't
> understand.
>
> On my machine, /dev/kvm is owned by root.root and mode 660. Here is the
> output of ls:
>
> % ls -l /dev/kvm
> crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm
>
> Despite that, when a process is uid 1000 and group id 1000, and not in
> any other groups, I can open /dev/kvm.
>
> I.e., here are the relevant lines from /proc/<pid>/status:
>
> Uid: 1000 1000 1000 1000
> Gid: 1000 1000 1000 1000
> Groups: 1000
>
> Note, just to show this isn't some weirdness in /etc/passwd or
> /etc/groups, here is the output of stat on /dev/kvm:
>
> File: `/dev/kvm'
> Size: 0 Blocks: 0 IO Block: 4096
> character special file
> Device: 5h/5d Inode: 2597329 Links: 1 Device type: a,e8
> Access: (0660/crw-rw----) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2012-08-24 15:03:33.616998585 -0500
> Modify: 2012-08-24 15:03:33.616998585 -0500
> Change: 2012-08-24 15:03:33.616998585 -0500
>
> Please note, I don't understand how this could really be. Regardless of
> what the /dev/kvm driver does, I don't get how I can get to open it if
> the file which `is' the device doesn't have the correct permissions.
> The driver can make access more restrictive than the file permissions,
> but not less restrictive, or so I thought.
>
> Also, if I try opening /dev/kvm as uid 1001 and group id 1000, again not
> in any other groups, it fails.
>
> I don't understand how this could be. Also, it means that uid 1000/gid
> 1000 can run virtual processes. I want to be able to limit that, and I
> would have thought that /dev/kvm having mode 660 and being owned by
> root.root would have done it.
>
> If it is any help, I am running a stock Debian Squeeze. The kernel is
> 2.6.32-5-amd64.
>
> Any help or pointers explaining how /dev/kvm can be opened by uid
> 1000/gid 1000 would be greatly appreciated. Also any explanation about
> why uid 1000 is different than 1001.
>
>
Strange. Try changing the permissions to 600 or 060 to see if it's the
user or group that allows you access.
--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
2012-08-27 20:11 /dev/kvm not sufficiently restricted, and in ways I didn't think were possible Henry Cejtin
2012-08-27 20:17 ` Avi Kivity
@ 2012-08-28 7:40 ` Michael Tokarev
1 sibling, 0 replies; 4+ messages in thread
From: Michael Tokarev @ 2012-08-28 7:40 UTC (permalink / raw)
To: Henry Cejtin; +Cc: kvm
On 28.08.2012 00:11, Henry Cejtin wrote:
> I'm completely confused about access to /dev/kvm. In particular, it
> looks like it is too open to access, but in a way that I don't
> understand.
>
> On my machine, /dev/kvm is owned by root.root and mode 660. Here is the
> output of ls:
>
> % ls -l /dev/kvm
> crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm
Note the plus sign in there (+). Run getfacl on this file.
Most likely it is consolekit/policykit which has a rule to add
ACLs to some devices (audio etc) for a current session user.
/mjt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
@ 2012-08-27 18:07 Neal Murphy
0 siblings, 0 replies; 4+ messages in thread
From: Neal Murphy @ 2012-08-27 18:07 UTC (permalink / raw)
To: kvm
On Monday, August 27, 2012 04:11:11 PM Henry Cejtin wrote:
> I'm completely confused about access to /dev/kvm. In particular, it
> looks like it is too open to access, but in a way that I don't
> understand.
>
> On my machine, /dev/kvm is owned by root.root and mode 660. Here is the
> output of ls:
>
> % ls -l /dev/kvm
> crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm
>
> Despite that, when a process is uid 1000 and group id 1000, and not in
> any other groups, I can open /dev/kvm.
>
> ...
>
> Please note, I don't understand how this could really be.
I think the '+' indicates ACLs are in use; 'getfacl /dev/kvm' might be
illuminating. It might be something udev does, or something your desktop
software does when you log in.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-08-28 7:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-27 20:11 /dev/kvm not sufficiently restricted, and in ways I didn't think were possible Henry Cejtin
2012-08-27 20:17 ` Avi Kivity
2012-08-28 7:40 ` Michael Tokarev
-- strict thread matches above, loose matches on Subject: below --
2012-08-27 18:07 Neal Murphy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.