From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: Ways to exit from kvm on behalf of the quest system?
Date: Wed, 1 Aug 2007 18:14:41 +0100
Message-ID: <20070801171441.GK31282@redhat.com>
References: <bcba51a0707310956q41554dedn6b88f3819c37bb41@mail.gmail.com>
	<200708010047.36600.amit.shah@qumranet.com>
	<bcba51a0707311243vf78d45bo9fcb61d0b972f37a@mail.gmail.com>
	<46B0B779.5050407@qumranet.com>
	<bcba51a0708010948t106be39dh81fccc10ebf0a676@mail.gmail.com>
	<20070801165750.GH31282@redhat.com>
	<bcba51a0708011006q3df19f99k7ae9df230c95487f@mail.gmail.com>
Reply-To: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
To: Dimitry Golubovsky <golubovsky-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Return-path: <kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
Content-Disposition: inline
In-Reply-To: <bcba51a0708011006q3df19f99k7ae9df230c95487f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=kvm-devel>
List-Post: <mailto:kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
List-Help: <mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org?subject=subscribe>
Sender: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Errors-To: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
List-Id: kvm.vger.kernel.org

On Wed, Aug 01, 2007 at 01:06:22PM -0400, Dimitry Golubovsky wrote:
> Daniel,
> 
> On 8/1/07, Daniel P. Berrange <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> 
> > Unless you whitelist which monitor commands it can run this would be a
> > significant security hole.  eg a guest could run
> >
> >   'usb_add disk /some/path'
> >
> > To get access to arbitrary files & disks from the host.
> >
> 
> If we assume that kvm runs under root, yes (and if kvm finds out it
> runs under root, it might disable such access to monitor). I have
> written a suid wrapper (very simple) that does whatever necessary
> under root, and then drops to user privileges, then execs kvm, so
> these actions will be limited by Linux multi-user mechanisms as usual.
> In my daily practice, I run kvm under my user privileges, and it works
> fine.

It can be a problem even if running as an unprivileged user, since the 
guest can read/write any files owned by that user - for example other 
guest disk images the user may have in their home dir.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/