Description Matthias Maier 2011-08-13 21:22:37 UTC

Running the libvirtd on a host and defining a disk image like

  <disk type='file' device='disk'>
    <driver name='qemu' type='raw'/>
    <source file='/etc/shadow'/>
    <target dev='hdc' bus='ide'/>
    <address type='drive' controller='0' bus='1' unit='0'/>
  </disk>

results in 

  # cat /var/log/libvirt/libvirt.log
  22:48:01.415: 26022: info : virSecurityDACSetOwnership:99 : Setting DAC user and group on '/etc/shadow' to '999:999'

  # ls -la shadow                                               
  -rw------- 1 qemu qemu 1255 12. Aug 01:52 shadow

A
  $ less -f /dev/sda
in the guest gives full read/write access to the file.

* Please note that this behaviour can also be triggered by a configuration of the form:

  <disk type='file' device='cdrom'>
    <driver name='qemu' type='raw'/>
    <source file='/etc/shadow'/>
    <target dev='hdc' bus='ide'/>
    <readonly/>
    <address type='drive' controller='0' bus='1' unit='0'/>
  </disk>
But it's a bit harder to actually read the file from the guest account.

(Why a UID/GID change is necessary for a read-only ISO image is another question.)

There should be some sort of policy preventing this and giving some sort of privilege separation between
  - libvirtd, running as root
  - the administrator (running virsh or another tool) for managing libvirtd and virtual guests
  - The user (in this case qemu with UID=999) under which the (qemu-kvm) guests     are running.
  - The guest environment itself.

The DAC "Security"-Feature in this case destroys the separation between the root user (of the host) and the administrator. (and root and the user under which the qemu-kvm guests are running.)

Reproducible: Always