On Mon, 2018-07-09 at 13:06 +0200, Michael Biebl wrote: > Am 09.07.2018 um 08:32 schrieb Guido Günther: > > Hi Michael, > > On Mon, Jul 09, 2018 at 01:30:16AM +0200, Michael Biebl wrote: > > > Related to that is > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887852 > > > > > > systemd upstream removed the uaccess bits, as they install /dev/kvm with > > > 0666 permissions by default, claiming this would be safe nowadays. > > > > > > See > > > https://github.com/systemd/systemd/pull/5597 > > > https://github.com/systemd/systemd/commit/b8fd3d82205f632ce001fade74fed287e1564a1a > > > > > > I think long term it would be best if the udev package setups up the > > > correct permissions for /dev/kvm, the question is whether we follow the > > > upstream default and make /dev/kvm 0666 or we chose 0640 (root:kvm) and > > > revert the bits from b8fd3d82205f632ce001fade74fed287e1564a1a to re-add > > > the uaccess tag. > > > > Yes, I'd be good to have correct permissions out of the box. Lots of > > people don't know they need the kvm group for the user session - so 0640 > > wouldn't help the cause. > > However given the hardening that is currently going on in the kernel to > > restrict user access to e.g. dmesg it'd actually be nicer to not > > have 0666. But if uaccess goes away it looks like the only way (if we'd > > don't want to maintain the uaccess code). > > The uaccess mechanism is not going away. What has been dropped is the > udev rule which applies the uaccess tag to the /dev/kvm device. > We'd have to add a patch to add this udev rule back if we decide 0666 is > not a good default in Debian. > > I've also CCed Ben as I'm interested in his opinion as kernel maintainer. > Ben, from the kernel POV, do you consider the kvm functionality mature > enough that we make it accessible to everyone (0666 root:root) > or should we make it accessible only to users of group kvm, which needs > explicit configuration (0660 root:kvm) and local, active users (tagging > the device with uaccess and letting logind set an ACL).
It is fairly mature, but it still has a large attack surface and occasional security issues that can be exploited by the VM owner. So I think it make sense to restrict access to the kvm group and local logins. This should mitigate the security issues on multiuser systems without too much disruption. Ben. -- Ben Hutchings Beware of programmers who carry screwdrivers. - Leonard Brandwein
signature.asc
Description: This is a digitally signed message part
