From: "M. Mohan Kumar" <mohan@in.ibm.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: libvir-list@redhat.com, qemu-devel@nongnu.org,
Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Subject: Re: [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p
Date: Tue, 4 Oct 2011 16:38:22 +0530 [thread overview]
Message-ID: <201110041638.22977.mohan@in.ibm.com> (raw)
In-Reply-To: <20110930095615.GB13701@redhat.com>
>
> That is the case if the proxy helper code is perfectly written. I am trying
> to think about the scenario where there is a bug (eg heap corruption /
> stack overflow) which allows a malicious non-root QEMU process to exploit
> the proxy helper to run code that it was *not* intended to run.
>
> If the proxy helper is running root with all capabilities, then a bug in
> the proxy helper can easily turn into a full root exploit.
>
> If the proxy helper starts as root, chroots, and then immediately drops to
> a non-root user, keeping only the CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER
> and CAP_DAC_READ_SEARCH capabilities, then a bug in the proxy helper can
> only be used to access files within the designated 9pfs export. If the
> exported directory does not contain any important host system files, then
> it is unlikely it can be used to create a full root exploit.
>
Thanks Daniel, I will add 'capabiliies' to proxy helper. CAP_FOWNER capability
also need.
I am working on the patches. I will post them in few days.
next prev parent reply other threads:[~2011-10-04 11:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-28 14:19 [Qemu-devel] [RFC] Adding new filesystem 'proxy' to 9p M. Mohan Kumar
2011-09-28 14:59 ` Daniel P. Berrange
2011-09-29 18:12 ` M. Mohan Kumar
2011-09-30 9:56 ` Daniel P. Berrange
2011-10-04 11:08 ` M. Mohan Kumar [this message]
2011-10-10 8:10 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201110041638.22977.mohan@in.ibm.com \
--to=mohan@in.ibm.com \
--cc=berrange@redhat.com \
--cc=libvir-list@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).