Cannot start domain using user session

Ben Hutchings ben at decadent.org.uk
Mon Jul 9 19:37:37 BST 2018 

On Mon, 2018-07-09 at 13:06 +0200, Michael Biebl wrote:
> Am 09.07.2018 um 08:32 schrieb Guido Günther:
> > Hi Michael,
> > On Mon, Jul 09, 2018 at 01:30:16AM +0200, Michael Biebl wrote:
> > > Related to that is
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887852
> > > 
> > > systemd upstream removed the uaccess bits, as they install /dev/kvm with
> > > 0666 permissions by default, claiming this would be safe nowadays.
> > > 
> > > See
> > > https://github.com/systemd/systemd/pull/5597
> > > https://github.com/systemd/systemd/commit/b8fd3d82205f632ce001fade74fed287e1564a1a
> > > 
> > > I think long term it would be best if the udev package setups up the
> > > correct permissions for /dev/kvm, the question is whether we follow the
> > > upstream default and make /dev/kvm 0666 or we chose 0640 (root:kvm) and
> > > revert the bits from b8fd3d82205f632ce001fade74fed287e1564a1a to re-add
> > > the uaccess tag.
> > 
> > Yes, I'd be good to have correct permissions out of the box. Lots of
> > people don't know they need the kvm group for the user session - so 0640
> > wouldn't help the cause.
> > However given the hardening that is currently going on in the kernel to
> > restrict user access to e.g. dmesg it'd actually be nicer to not
> > have 0666. But if uaccess goes away it looks like the only way (if we'd
> > don't want to maintain the uaccess code).
> 
> The uaccess mechanism is not going away. What has been dropped is the
> udev rule which applies the uaccess tag to the /dev/kvm device.
> We'd have to add a patch to add this udev rule back if we decide 0666 is
> not a good default in Debian.
> 
> I've also CCed Ben as I'm interested in his opinion as kernel maintainer.
> Ben, from the kernel POV, do you consider the kvm functionality mature
> enough that we make it accessible to everyone (0666 root:root)
> or should we make it accessible only to users of group kvm, which needs
> explicit configuration (0660 root:kvm) and local, active users (tagging
> the device with uaccess and letting logind set an ACL).

It is fairly mature, but it still has a large attack surface and
occasional security issues that can be exploited by the VM owner.  So I
think it make sense to restrict access to the kvm group and local
logins.  This should mitigate the security issues on multiuser systems
without too much disruption.

Ben.

-- 
Ben Hutchings
Beware of programmers who carry screwdrivers. - Leonard Brandwein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20180709/7bd422f9/attachment-0002.sig>

More information about the Pkg-systemd-maintainers mailing list