From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Markus Armbruster" <armbru@redhat.com>,
"Michael Roth" <michael.roth@amd.com>,
"Konstantin Kostiuk" <kkostiuk@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [PATCH 14/14] qga: mark guest-ssh-* / guest-*-password commands with 'unrestricted' flag
Date: Tue, 4 Jun 2024 16:32:42 +0100 [thread overview]
Message-ID: <20240604153242.251334-15-berrange@redhat.com> (raw)
In-Reply-To: <20240604153242.251334-1-berrange@redhat.com>
This blocks use of all the 'guest-ssh-*' / 'guest-password' commands
unless the QGA is runwith the --unrestricted command line argument.
These commands allow the host admin to takeover user accounts and so
directly compromise the guest OS.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
qga/qapi-schema.json | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index 25068b8110..e7ce80a479 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -1251,10 +1251,15 @@
# transmission, even if already crypt()d, to ensure it is 8-bit safe
# when passed as JSON.
#
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
# Since: 2.3
##
{ 'command': 'guest-set-user-password',
'data': { 'username': 'str', 'password': 'str', 'crypted': 'bool' },
+ 'features': [ 'user-auth' ],
'if': { 'any': [ 'CONFIG_WIN32', 'CONFIG_LINUX', 'CONFIG_FREEBSD'] } }
##
@@ -1810,11 +1815,16 @@
#
# Returns: @GuestAuthorizedKeys
#
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
# Since: 5.2
##
{ 'command': 'guest-ssh-get-authorized-keys',
'data': { 'username': 'str' },
- 'returns': 'GuestAuthorizedKeys'
+ 'returns': 'GuestAuthorizedKeys',
+ 'features': [ 'user-auth' ]
}
##
@@ -1830,10 +1840,15 @@
#
# @reset: ignore the existing content, set it with the given keys only
#
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
# Since: 5.2
##
{ 'command': 'guest-ssh-add-authorized-keys',
- 'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' }
+ 'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' },
+ 'features': [ 'user-auth' ]
}
##
@@ -1848,10 +1863,15 @@
# @keys: the public keys to remove (in OpenSSH/sshd(8) authorized_keys
# format)
#
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
# Since: 5.2
##
{ 'command': 'guest-ssh-remove-authorized-keys',
- 'data': { 'username': 'str', 'keys': ['str'] }
+ 'data': { 'username': 'str', 'keys': ['str'] },
+ 'features': [ 'user-auth' ]
}
##
--
2.45.1
next prev parent reply other threads:[~2024-06-04 15:34 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-04 15:32 [PATCH 00/14] Improve mechanism for configuring allowed commands Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 01/14] qapi: use "QAPI_FEATURE" as namespace for special features Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 02/14] qapi: add helper for checking if a command feature is set Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 03/14] qapi: cope with special feature names containing a '-' Daniel P. Berrangé
2024-07-12 7:54 ` Markus Armbruster
2024-06-04 15:32 ` [PATCH 04/14] qapi: add a 'command-features' pragma Daniel P. Berrangé
2024-07-12 8:07 ` Markus Armbruster
2024-07-12 8:12 ` Daniel P. Berrangé
2024-07-12 8:50 ` Markus Armbruster
2024-07-12 9:17 ` Daniel P. Berrangé
2024-07-16 18:08 ` Markus Armbruster
2024-07-17 10:46 ` Daniel P. Berrangé
2024-07-17 11:43 ` Markus Armbruster
2024-06-04 15:32 ` [PATCH 05/14] qapi: stop hardcoding list of special features Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 06/14] qapi: define enum for custom special features on commands Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 07/14] qga: use special feature to mark those that can run when FS are frozen Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 08/14] qga: add command line to limit commands for confidential guests Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 09/14] qga: define commands which can be run in confidential mode Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 10/14] qga: add command line to block unrestricted command/file access Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 11/14] qga: mark guest-file-* commands with 'unrestricted' flag Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 12/14] qga: mark guest-exec-* " Daniel P. Berrangé
2024-06-04 15:32 ` [PATCH 13/14] qga: add command line to block user authentication commands Daniel P. Berrangé
2024-06-04 15:32 ` Daniel P. Berrangé [this message]
2024-07-02 18:09 ` [PATCH 00/14] Improve mechanism for configuring allowed commands Daniel P. Berrangé
2024-07-15 9:52 ` Markus Armbruster
2024-07-15 10:56 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240604153242.251334-15-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=kkostiuk@redhat.com \
--cc=michael.roth@amd.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).