|
|
c480ed |
From 0fce9e5a4f4e7f12a5eb2fc0cc44f30f26d83157 Mon Sep 17 00:00:00 2001
|
|
|
c480ed |
Message-Id: <0fce9e5a4f4e7f12a5eb2fc0cc44f30f26d83157@dist-git>
|
|
|
df3a49 |
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
|
df3a49 |
Date: Wed, 15 May 2019 21:40:57 +0100
|
|
|
df3a49 |
Subject: [PATCH] locking: restrict sockets to mode 0600
|
|
|
df3a49 |
MIME-Version: 1.0
|
|
|
df3a49 |
Content-Type: text/plain; charset=UTF-8
|
|
|
df3a49 |
Content-Transfer-Encoding: 8bit
|
|
|
df3a49 |
|
|
|
df3a49 |
The virtlockd daemon's only intended client is the libvirtd daemon. As
|
|
|
df3a49 |
such it should never allow clients from other user accounts to connect.
|
|
|
df3a49 |
The code already enforces this and drops clients from other UIDs, but
|
|
|
df3a49 |
we can get earlier (and thus stronger) protection against DoS by setting
|
|
|
df3a49 |
the socket permissions to 0600
|
|
|
df3a49 |
|
|
|
df3a49 |
Fixes CVE-2019-10132
|
|
|
df3a49 |
|
|
|
df3a49 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
df3a49 |
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
c480ed |
(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
|
|
|
df3a49 |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
df3a49 |
Message-Id: <20190515204058.28077-3-berrange@redhat.com>
|
|
|
df3a49 |
---
|
|
|
df3a49 |
src/locking/virtlockd-admin.socket.in | 1 +
|
|
|
df3a49 |
src/locking/virtlockd.socket.in | 1 +
|
|
|
df3a49 |
2 files changed, 2 insertions(+)
|
|
|
df3a49 |
|
|
|
df3a49 |
diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
|
|
|
df3a49 |
index 2a7500f3d0..f674c492f7 100644
|
|
|
df3a49 |
--- a/src/locking/virtlockd-admin.socket.in
|
|
|
df3a49 |
+++ b/src/locking/virtlockd-admin.socket.in
|
|
|
df3a49 |
@@ -5,6 +5,7 @@ Before=libvirtd.service
|
|
|
df3a49 |
[Socket]
|
|
|
df3a49 |
ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
|
|
|
df3a49 |
Service=virtlockd.service
|
|
|
df3a49 |
+SocketMode=0600
|
|
|
df3a49 |
|
|
|
df3a49 |
[Install]
|
|
|
df3a49 |
WantedBy=sockets.target
|
|
|
df3a49 |
diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
|
|
|
df3a49 |
index 45e0f20235..d701b27516 100644
|
|
|
df3a49 |
--- a/src/locking/virtlockd.socket.in
|
|
|
df3a49 |
+++ b/src/locking/virtlockd.socket.in
|
|
|
df3a49 |
@@ -4,6 +4,7 @@ Before=libvirtd.service
|
|
|
df3a49 |
|
|
|
df3a49 |
[Socket]
|
|
|
df3a49 |
ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
|
|
|
df3a49 |
+SocketMode=0600
|
|
|
df3a49 |
|
|
|
df3a49 |
[Install]
|
|
|
df3a49 |
WantedBy=sockets.target
|
|
|
df3a49 |
--
|
|
|
c480ed |
2.22.0
|
|
|
df3a49 |
|