kvm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
@ 2012-08-27 18:07 Neal Murphy
  0 siblings, 0 replies; 4+ messages in thread
From: Neal Murphy @ 2012-08-27 18:07 UTC (permalink / raw)
  To: kvm

On Monday, August 27, 2012 04:11:11 PM Henry Cejtin wrote:
> I'm  completely  confused  about  access to /dev/kvm.  In particular, it
> looks like it is too  open  to  access,  but  in  a  way  that  I  don't
> understand.
> 
> On my machine, /dev/kvm is owned by root.root and mode 660.  Here is the
> output of ls:
> 
>     % ls -l /dev/kvm
>     crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm
> 
> Despite that, when a process is uid 1000 and group id 1000, and  not  in
> any other groups, I can open /dev/kvm.
> 
> ...
> 
> Please note, I don't understand how this could really be.

I think the '+' indicates ACLs are in use; 'getfacl /dev/kvm' might be 
illuminating. It might be something udev does, or something your desktop 
software does when you log in.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
@ 2012-08-27 20:11 Henry Cejtin
  2012-08-27 20:17 ` Avi Kivity
  2012-08-28  7:40 ` Michael Tokarev
  0 siblings, 2 replies; 4+ messages in thread
From: Henry Cejtin @ 2012-08-27 20:11 UTC (permalink / raw)
  To: kvm

I'm  completely  confused  about  access to /dev/kvm.  In particular, it
looks like it is too  open  to  access,  but  in  a  way  that  I  don't
understand.

On my machine, /dev/kvm is owned by root.root and mode 660.  Here is the
output of ls:

    % ls -l /dev/kvm
    crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm

Despite that, when a process is uid 1000 and group id 1000, and  not  in
any other groups, I can open /dev/kvm.

I.e., here are the relevant lines from /proc/<pid>/status:

    Uid:    1000    1000    1000    1000
    Gid:    1000    1000    1000    1000
    Groups: 1000

Note,  just  to  show  this  isn't  some  weirdness  in  /etc/passwd  or
/etc/groups, here is the output of stat on /dev/kvm:

      File: `/dev/kvm'
      Size: 0               Blocks: 0          IO Block: 4096
character special file
    Device: 5h/5d   Inode: 2597329     Links: 1     Device type: a,e8
    Access: (0660/crw-rw----)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2012-08-24 15:03:33.616998585 -0500
    Modify: 2012-08-24 15:03:33.616998585 -0500
    Change: 2012-08-24 15:03:33.616998585 -0500

Please note, I don't understand how this could really be.  Regardless of
what  the  /dev/kvm driver does, I don't get how I can get to open it if
the file which `is' the device doesn't  have  the  correct  permissions.
The  driver  can make access more restrictive than the file permissions,
but not less restrictive, or so I thought.

Also, if I try opening /dev/kvm as uid 1001 and group id 1000, again not
in any other groups, it fails.

I  don't understand how this could be.  Also, it means that uid 1000/gid
1000 can run virtual processes.  I want to be able to limit that, and  I
would  have  thought  that  /dev/kvm  having mode 660 and being owned by
root.root would have done it.

If it is any help, I am running a stock Debian Squeeze.  The kernel is
    2.6.32-5-amd64.

Any help or pointers explaining  how  /dev/kvm  can  be  opened  by  uid
1000/gid  1000 would be greatly appreciated.  Also any explanation about
why uid 1000 is different than 1001.

Thanks

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
  2012-08-27 20:11 /dev/kvm not sufficiently restricted, and in ways I didn't think were possible Henry Cejtin
@ 2012-08-27 20:17 ` Avi Kivity
  2012-08-28  7:40 ` Michael Tokarev
  1 sibling, 0 replies; 4+ messages in thread
From: Avi Kivity @ 2012-08-27 20:17 UTC (permalink / raw)
  To: Henry Cejtin; +Cc: kvm

On 08/27/2012 01:11 PM, Henry Cejtin wrote:
> I'm  completely  confused  about  access to /dev/kvm.  In particular, it
> looks like it is too  open  to  access,  but  in  a  way  that  I  don't
> understand.
>
> On my machine, /dev/kvm is owned by root.root and mode 660.  Here is the
> output of ls:
>
>     % ls -l /dev/kvm
>     crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm
>
> Despite that, when a process is uid 1000 and group id 1000, and  not  in
> any other groups, I can open /dev/kvm.
>
> I.e., here are the relevant lines from /proc/<pid>/status:
>
>     Uid:    1000    1000    1000    1000
>     Gid:    1000    1000    1000    1000
>     Groups: 1000
>
> Note,  just  to  show  this  isn't  some  weirdness  in  /etc/passwd  or
> /etc/groups, here is the output of stat on /dev/kvm:
>
>       File: `/dev/kvm'
>       Size: 0               Blocks: 0          IO Block: 4096
> character special file
>     Device: 5h/5d   Inode: 2597329     Links: 1     Device type: a,e8
>     Access: (0660/crw-rw----)  Uid: (    0/    root)   Gid: (    0/    root)
>     Access: 2012-08-24 15:03:33.616998585 -0500
>     Modify: 2012-08-24 15:03:33.616998585 -0500
>     Change: 2012-08-24 15:03:33.616998585 -0500
>
> Please note, I don't understand how this could really be.  Regardless of
> what  the  /dev/kvm driver does, I don't get how I can get to open it if
> the file which `is' the device doesn't  have  the  correct  permissions.
> The  driver  can make access more restrictive than the file permissions,
> but not less restrictive, or so I thought.
>
> Also, if I try opening /dev/kvm as uid 1001 and group id 1000, again not
> in any other groups, it fails.
>
> I  don't understand how this could be.  Also, it means that uid 1000/gid
> 1000 can run virtual processes.  I want to be able to limit that, and  I
> would  have  thought  that  /dev/kvm  having mode 660 and being owned by
> root.root would have done it.
>
> If it is any help, I am running a stock Debian Squeeze.  The kernel is
>     2.6.32-5-amd64.
>
> Any help or pointers explaining  how  /dev/kvm  can  be  opened  by  uid
> 1000/gid  1000 would be greatly appreciated.  Also any explanation about
> why uid 1000 is different than 1001.
>
>

Strange.  Try changing the permissions to 600 or 060 to see if it's the
user or group that allows you access.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: /dev/kvm not sufficiently restricted, and in ways I didn't think were possible
  2012-08-27 20:11 /dev/kvm not sufficiently restricted, and in ways I didn't think were possible Henry Cejtin
  2012-08-27 20:17 ` Avi Kivity
@ 2012-08-28  7:40 ` Michael Tokarev
  1 sibling, 0 replies; 4+ messages in thread
From: Michael Tokarev @ 2012-08-28  7:40 UTC (permalink / raw)
  To: Henry Cejtin; +Cc: kvm

On 28.08.2012 00:11, Henry Cejtin wrote:
> I'm  completely  confused  about  access to /dev/kvm.  In particular, it
> looks like it is too  open  to  access,  but  in  a  way  that  I  don't
> understand.
> 
> On my machine, /dev/kvm is owned by root.root and mode 660.  Here is the
> output of ls:
> 
>     % ls -l /dev/kvm
>     crw-rw----+ 1 root root 10, 232 Aug 24 15:03 /dev/kvm

Note the plus sign in there (+).  Run getfacl on this file.

Most likely it is consolekit/policykit which has a rule to add
ACLs to some devices (audio etc) for a current session user.

/mjt

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-08-28  7:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-27 20:11 /dev/kvm not sufficiently restricted, and in ways I didn't think were possible Henry Cejtin
2012-08-27 20:17 ` Avi Kivity
2012-08-28  7:40 ` Michael Tokarev
  -- strict thread matches above, loose matches on Subject: below --
2012-08-27 18:07 Neal Murphy

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).