[pve-devel] Running KVM as root is a security issue
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Jul 27 20:11:54 CEST 2015
> Exit scripts could be suid if needed.
Scripts cannot be suid, because the executable is their interpreter, iow
/bin/sh, which
in turn is not setuid-root.
> The exit scripts could simply notify some other privlidged process
> that they are shutting down.
This is better. Even better would be a monitoring process that doesn't need to
be signaled.
(Coincidentally, this would also add the possibility of adding reliably-fired
exit-time hooks.)
>> Can qemu create the tap interface without root privilege ?
(...)
> tunctl -t tap0 -u myuser
Create - no, but they can be assigned a user.
The iproute2 version of the above command would be:
$ ip tuntap add tap0 mode tap user myuser
You can even mknod them into a node-file (which is how they work on BSDs.)
Also, qemu has a helper-script parameter which can be used to have them created.
This would have to be a compiled program and doesn't even need to be suid-root -
all
it needs is CAP_NET_ADMIN.
There are a few ioctls that the user cannot issue to tap devices, though, I'm
not sure qemu
needs those. (socat for instance fails on taps as a user). But this can be
easily patched
if necessary.
Personally I'd like to generally aim for a whitelist permission model.
I.o.w.: never actually use root or setuid-root executables, but provide
the necessary POSIX capabilities, apparmor permissions and
filesystem access. But I fear it's a long and rocky road to get there.
More information about the pve-devel
mailing list