Only allow the UNIX transport in remote driver when setuid

We don't know enough about quality of external libraries used
for non-UNIX transports, nor do we want to spawn external
commands when setuid. Restrict to the bare minimum which is
UNIX transport for local usage. Users shouldn't need to be
running setuid if connecting to remote hypervisors in any
case.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/libvirt.c b/src/libvirt.c
index 0f8d79a59be9c871769be085ae5df301ca848cdd..aec5d80fa4b746b5592da7e8e220f63ae1a8ba78 100644 (file)
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -1135,6 +1135,12 @@ do_open(const char *name,
     if (name && name[0] == '\0')
         name = NULL;
 
+    if (!name && virIsSUID()) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("An explicit URI must be provided when setuid"));
+        goto failed;
+    }
+
     /*
      *  If no URI is passed, then check for an environment string if not
      *  available probe the compiled in drivers to find a default hypervisor

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 759383e36eb8cb62fc643dd0312dfc8d3f1b9378..c0e508abb675aa0e303a8ed31a515664ccbe94ac 100644 (file)
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -488,6 +488,20 @@ doRemoteOpen(virConnectPtr conn,
         transport = trans_unix;
     }
 
+    /*
+     * We don't want to be executing external programs in setuid mode,
+     * so this rules out 'ext' and 'ssh' transports. Exclude libssh
+     * and tls too, since we're not confident the libraries are safe
+     * for setuid usage. Just allow UNIX sockets, since that does
+     * not require any external libraries or command execution
+     */
+    if (virIsSUID() &&
+        transport != trans_unix) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("Only Unix socket URI transport is allowed in setuid mode"));
+        return VIR_DRV_OPEN_ERROR;
+    }
+
     /* Local variables which we will initialize. These can
      * get freed in the failed: path.
      */