Only allow the UNIX transport in remote driver when setuid

We don't know enough about quality of external libraries used for non-UNIX transports, nor do we want to spawn external commands when setuid. Restrict to the bare minimum which is UNIX transport for local usage. Users shouldn't need to be running setuid if connecting to remote hypervisors in any case. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2024-07-11 12:25:52 +00:00 · 2013-10-09 11:44:50 +01:00 · 2013-10-09 11:44:50 +01:00 · e22b0232c7
commit e22b0232c7
parent 71b21f12be
2 changed files with 20 additions and 0 deletions
--- a/src/libvirt.c
+++ b/src/libvirt.c
@ -1135,6 +1135,12 @@ do_open(const char *name,
    if (name && name[0] == '\0')
        name = NULL;

+    if (!name && virIsSUID()) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("An explicit URI must be provided when setuid"));
+        goto failed;
+    }
+
    /*
     *  If no URI is passed, then check for an environment string if not
     *  available probe the compiled in drivers to find a default hypervisor
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@ -488,6 +488,20 @@ doRemoteOpen(virConnectPtr conn,
        transport = trans_unix;
    }

+    /*
+     * We don't want to be executing external programs in setuid mode,
+     * so this rules out 'ext' and 'ssh' transports. Exclude libssh
+     * and tls too, since we're not confident the libraries are safe
+     * for setuid usage. Just allow UNIX sockets, since that does
+     * not require any external libraries or command execution
+     */
+    if (virIsSUID() &&
+        transport != trans_unix) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("Only Unix socket URI transport is allowed in setuid mode"));
+        return VIR_DRV_OPEN_ERROR;
+    }
+
    /* Local variables which we will initialize. These can
     * get freed in the failed: path.
     */