[Pkg-libvirt-maintainers] Bug#862340: Bug#862340: minimize security risk due to dnsmasq running as nobody

Guido Günther agx at sigxcpu.org
Thu May 11 15:06:27 UTC 2017 

control: severity -1 wishlist
control: tag -1 -patch

Hi Christian,
On Thu, May 11, 2017 at 04:05:48PM +0200, Christian Ehrhardt wrote:
> Package: libvirt
> Version: 3.0.0-4
> Severity: normal
> 
> Hi libvirt Maintainers,
> 
> This change is about further limiting the potential fallout if a guest can
> break into the dnsmasq it can reach - there currently running as nobody it
> can reach other "nobodies".  The preferred solution is to run it as a
> service-specific system user. In this case, because there may be multiple
> dnsmasq daemons running, a separate libvirt-dnsmasq user (the dnsmasq
> package itself runs the dnsmasq daemon under a system user called
> unsurprisingly 'dnsmasq').

Not using nobody makes sense but…

[..snip..]
> +    if ! getent passwd libvirt-dnsmasq >/dev/null; then
> +        adduser --quiet \
> +                --system \
> +                --ingroup libvirt \

…adding it to the libvirt group gives it root like privileges since it
might get _full_ access to the libvirt daemon (it's the group used for
polkit and the default group in /etc/libvirt/libvirtd.conf for socket
based write access). This is a weakening of the current security model.

> +                --disabled-login \
> +                --disabled-password \
> +                --home /var/lib/libvirt/dnsmasq \
> +                --no-create-home \
> +                --gecos "Libvirt Dnsmasq" \
> +                libvirt-dnsmasq
> +    fi
>  }

Since the user does not own any files it should be removed on purge.

>  
>  
> diff --git a/debian/patches/dnsmasq-as-priv-user b/debian/patches/dnsmasq-as-priv-user
> new file mode 100644
> index 0000000..23bfde0
> --- /dev/null
> +++ b/debian/patches/dnsmasq-as-priv-user
> @@ -0,0 +1,215 @@
> +Title: Run DNSMASQ as libvirt-dnsmasq user
> +DEP: 3
> +Date: 2012-03-02
> +Drivers: Serge Hallyn
> +URL: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/938255
> +Abstract:
> + Generally it's bad form from a security perspective to run daemons as user
> + nobody because a vulnerability in one daemon will possibly allow it, when
> + compromised, to interfere with another daemon that is also running as nobody.
> + The preferred solution is to run it as a service-specific system user. In this
> + case, because there may be multiple dnsmasq daemons running, a separate
> + libvirt-dnsmasq user (the dnsmasq package itself runs the dnsmasq daemon under
> + a system user called unsurprisingly 'dnsmasq').
> +--- a/src/network/bridge_driver.c
> ++++ b/src/network/bridge_driver.c
> +@@ -1075,7 +1075,8 @@
> +                       "##    virsh net-edit %s\n"
> +                       "## or other application using the libvirt API.\n"
> +                       "##\n## dnsmasq conf file created by libvirt\n"
> +-                      "strict-order\n",
> ++                      "strict-order\n"
> ++                      "user=libvirt-dnsmasq\n",
> +                       network->def->name);

This should be brought up upstream since (if correctly implemented) it's
useful and…

> + 
> +     /* if dns is disabled, set its listening port to 0, which
> +--- a/tests/networkxml2confdata/dhcp6host-routed-network.conf
> ++++ b/tests/networkxml2confdata/dhcp6host-routed-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr1
> +--- a/tests/networkxml2confdata/dhcp6-nat-network.conf
> ++++ b/tests/networkxml2confdata/dhcp6-nat-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr0
> +--- a/tests/networkxml2confdata/dhcp6-network.conf
> ++++ b/tests/networkxml2confdata/dhcp6-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + domain=mynet
> + expand-hosts
> + except-interface=lo
> +--- a/tests/networkxml2confdata/isolated-network.conf
> ++++ b/tests/networkxml2confdata/isolated-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-interfaces
> + listen-address=192.168.152.1
> +--- a/tests/networkxml2confdata/nat-network.conf
> ++++ b/tests/networkxml2confdata/nat-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr0
> +--- a/tests/networkxml2confdata/nat-network-dns-forwarders.conf
> ++++ b/tests/networkxml2confdata/nat-network-dns-forwarders.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + no-resolv
> + server=8.8.8.8
> + server=8.8.4.4
> +--- a/tests/networkxml2confdata/nat-network-dns-forward-plain.conf
> ++++ b/tests/networkxml2confdata/nat-network-dns-forward-plain.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr0
> +--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf
> ++++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + domain=example.com
> + expand-hosts
> + domain-needed
> +--- a/tests/networkxml2confdata/nat-network-dns-srv-record.conf
> ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr0
> +--- a/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
> ++++ b/tests/networkxml2confdata/nat-network-dns-srv-record-minimal.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-interfaces
> + listen-address=192.168.122.1
> +--- a/tests/networkxml2confdata/nat-network-dns-txt-record.conf
> ++++ b/tests/networkxml2confdata/nat-network-dns-txt-record.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr0
> +--- a/tests/networkxml2confdata/netboot-network.conf
> ++++ b/tests/networkxml2confdata/netboot-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + domain=example.com
> + expand-hosts
> + except-interface=lo
> +--- a/tests/networkxml2confdata/netboot-proxy-network.conf
> ++++ b/tests/networkxml2confdata/netboot-proxy-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + domain=example.com
> + expand-hosts
> + except-interface=lo
> +--- a/tests/networkxml2confdata/routed-network.conf
> ++++ b/tests/networkxml2confdata/routed-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr1
> +--- a/tests/networkxml2confdata/nat-network-dns-local-domain.conf
> ++++ b/tests/networkxml2confdata/nat-network-dns-local-domain.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + local=/example.com/
> + domain=example.com
> + expand-hosts
> +--- a/tests/networkxml2confdata/nat-network-name-with-quotes.conf
> ++++ b/tests/networkxml2confdata/nat-network-name-with-quotes.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-interfaces
> + listen-address=192.168.122.1
> +--- a/tests/networkxml2confdata/open-network.conf
> ++++ b/tests/networkxml2confdata/open-network.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + except-interface=lo
> + bind-dynamic
> + interface=virbr1
> +--- a/tests/networkxml2confdata/ptr-domains-auto.conf
> ++++ b/tests/networkxml2confdata/ptr-domains-auto.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + local=/122.168.192.in-addr.arpa/
> + local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/
> + except-interface=lo
> +--- a/tests/networkxml2confdata/routed-network-no-dns.conf
> ++++ b/tests/networkxml2confdata/routed-network-no-dns.conf
> +@@ -5,6 +5,7 @@
> + ##
> + ## dnsmasq conf file created by libvirt
> + strict-order
> ++user=libvirt-dnsmasq
> + port=0
> + except-interface=lo
> + bind-dynamic

This is not maintainable.

Please use correct severities for bugs.
Cheers,
 -- Guido

More information about the Pkg-libvirt-maintainers mailing list