diff --git a/src/libvirt.c b/src/libvirt.c index 0f8d79a59b..aec5d80fa4 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -1135,6 +1135,12 @@ do_open(const char *name, if (name && name[0] == '\0') name = NULL; + if (!name && virIsSUID()) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("An explicit URI must be provided when setuid")); + goto failed; + } + /* * If no URI is passed, then check for an environment string if not * available probe the compiled in drivers to find a default hypervisor diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 43aaa82e8a..fd8eeb1b91 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -488,6 +488,20 @@ doRemoteOpen(virConnectPtr conn, transport = trans_unix; } + /* + * We don't want to be executing external programs in setuid mode, + * so this rules out 'ext' and 'ssh' transports. Exclude libssh + * and tls too, since we're not confident the libraries are safe + * for setuid usage. Just allow UNIX sockets, since that does + * not require any external libraries or command execution + */ + if (virIsSUID() && + transport != trans_unix) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Only Unix socket URI transport is allowed in setuid mode")); + return VIR_DRV_OPEN_ERROR; + } + /* Local variables which we will initialize. These can * get freed in the failed: path. */