[pve-devel] Running KVM as root is a security issue

Alexandre DERUMIER aderumier at odiso.com
Mon Jul 27 18:13:22 CEST 2015


we could create the tap interface,
tunctl -t tap0 -u myuser

then pass it to qemu without script

-netdev tap,ifname=tap0,id=mynet0,script=no


(and the bridge create, tap plug, could be also done manually in qemuserver vmstart)




----- Mail original -----
De: "aderumier" <aderumier at odiso.com>
À: "Eric Blevins" <ericlb100 at gmail.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 27 Juillet 2015 18:06:06
Objet: Re: [pve-devel] Running KVM as root is a security issue

Can qemu create the tap interface without root privilege ? 


----- Mail original ----- 
De: "Eric Blevins" <ericlb100 at gmail.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Lundi 27 Juillet 2015 16:33:49 
Objet: Re: [pve-devel] Running KVM as root is a security issue 

Having only PCI passthrough VMs running as root would be a huge improvement. 
Maybe cgroups could be used to reduce the risk. 

Exit scripts could be suid if needed. 
An exploted VM could potentially use the suid pve-bridgedown script to 
destroy bridges of other VMs. 

Long term I think a better idea is needed. 

The exit scripts could simply notify some other privlidged process 
that they are shutting down. 
Privlidged process would then verify that VM is down and do whatever 
cleanup is necessary. 




On Mon, Jul 27, 2015 at 10:07 AM, Alexandre DERUMIER 
<aderumier at odiso.com> wrote: 
>>>Yes, that much I've tested, too. I'm worried about the shutdown scripts 
>>>though (bridgedown). They might lack permissions if qemu doesn't keep a 
>>>privileged parent process around for those. 
> 
> I think that pci passthrough need root access too. (maybe not with vfio). 
> 
> Not sure about disks with /dev/ mapping ? 
> 
> 
> 
> ----- Mail original ----- 
> De: "Wolfgang Bumiller" <w.bumiller at proxmox.com> 
> À: "Eric Blevins" <ericlb100 at gmail.com> 
> Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Lundi 27 Juillet 2015 15:53:00 
> Objet: Re: [pve-devel] Running KVM as root is a security issue 
> 
>> A patch exists to prevent a crash when a socket cannot be opened. 
>> https://lists.gnu.org/archive/html/qemu-devel/2015-05/msg00577.html 
> 
> Included in the current 2.4 devel build. 
> 
>> I've done some experimenting. If I take the KVM command as generated 
>> by Proxmox and simply add "-runas nobody" the VM starts up and runs 
>> without a problem. 
> 
> Yes, that much I've tested, too. I'm worried about the shutdown scripts 
> though (bridgedown). They might lack permissions if qemu doesn't keep a 
> privileged parent process around for those. 
> 
> Ideally the VM can be started directly as a user, though, rather than 
> using the -runas switch. That will be some work though. 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 


More information about the pve-devel mailing list