[pve-devel] Running KVM as root is a security issue
Alexandre DERUMIER
aderumier at odiso.com
Mon Jul 27 18:13:22 CEST 2015
we could create the tap interface,
tunctl -t tap0 -u myuser
then pass it to qemu without script
-netdev tap,ifname=tap0,id=mynet0,script=no
(and the bridge create, tap plug, could be also done manually in qemuserver vmstart)
----- Mail original -----
De: "aderumier" <aderumier at odiso.com>
À: "Eric Blevins" <ericlb100 at gmail.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 27 Juillet 2015 18:06:06
Objet: Re: [pve-devel] Running KVM as root is a security issue
Can qemu create the tap interface without root privilege ?
----- Mail original -----
De: "Eric Blevins" <ericlb100 at gmail.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 27 Juillet 2015 16:33:49
Objet: Re: [pve-devel] Running KVM as root is a security issue
Having only PCI passthrough VMs running as root would be a huge improvement.
Maybe cgroups could be used to reduce the risk.
Exit scripts could be suid if needed.
An exploted VM could potentially use the suid pve-bridgedown script to
destroy bridges of other VMs.
Long term I think a better idea is needed.
The exit scripts could simply notify some other privlidged process
that they are shutting down.
Privlidged process would then verify that VM is down and do whatever
cleanup is necessary.
On Mon, Jul 27, 2015 at 10:07 AM, Alexandre DERUMIER
<aderumier at odiso.com> wrote:
>>>Yes, that much I've tested, too. I'm worried about the shutdown scripts
>>>though (bridgedown). They might lack permissions if qemu doesn't keep a
>>>privileged parent process around for those.
>
> I think that pci passthrough need root access too. (maybe not with vfio).
>
> Not sure about disks with /dev/ mapping ?
>
>
>
> ----- Mail original -----
> De: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
> À: "Eric Blevins" <ericlb100 at gmail.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Lundi 27 Juillet 2015 15:53:00
> Objet: Re: [pve-devel] Running KVM as root is a security issue
>
>> A patch exists to prevent a crash when a socket cannot be opened.
>> https://lists.gnu.org/archive/html/qemu-devel/2015-05/msg00577.html
>
> Included in the current 2.4 devel build.
>
>> I've done some experimenting. If I take the KVM command as generated
>> by Proxmox and simply add "-runas nobody" the VM starts up and runs
>> without a problem.
>
> Yes, that much I've tested, too. I'm worried about the shutdown scripts
> though (bridgedown). They might lack permissions if qemu doesn't keep a
> privileged parent process around for those.
>
> Ideally the VM can be started directly as a user, though, rather than
> using the -runas switch. That will be some work though.
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list