[Bug 1101420] New: spice-gtk: introduce separate group for spice-client-glib-usb-acl-helper setuid binary
http://bugzilla.suse.com/show_bug.cgi?id=1101420 Bug ID: 1101420 Summary: spice-gtk: introduce separate group for spice-client-glib-usb-acl-helper setuid binary Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Virtualization:Tools Assignee: cbosdonnat@suse.com Reporter: matthias.gerstner@suse.com QA Contact: security-team@suse.de CC: dimstar@opensuse.org, seife@novell.slipkontur.de Found By: --- Blocker: --- In bug 744251 the whitelisting of spice-client-glib-usb-acl-helper has been discussed for years without any result. A lot of users have complained about this helper not working out of the box. Requiring users to add the setuid bit manually is not a good approach. The security team will agree wo whitelist this setuid binary when it is limited to a separate group. Interested users can then add themselves to this group and gain access to the setuid binary. This keeps the attack surface low, the decision to use it explicit and it is still a clearly defined property that doesn't get lost upon updates. It would be nice if you could take the necessary steps to introduce an appropriate group for spice-gtk. Basically we could be using the 'trusted' group that already exists. But this group is a catch-it-all group that allows access to a plethora of different setuid binaries already. We would like to avoid extended usage of this group. Maybe there already is a suitable virtualization related group or we can introduce one. Maybe such a group setup and whitelisting could also be backported to SLE-15 and Leap-15. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c1
Cédric Bosdonnat
http://bugzilla.suse.com/show_bug.cgi?id=1101420
Thomas Wagner
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c3
James Fehlig
Jim, Mike, do we have some other setuid tools that could go in a virtualization-specific group? I don't have any in mind ATM...
I thought libvirt had a straggler, but if so I can't find it now. Perhaps I'm thinking of an old lxc tool. I also quickly checked sanlock, vhostmd, xen, and qemu and only found /usr/lib/qemu-bridge-helper from the qemu-tools package. Xen and qemu are quite large though, so let's add Charles and Bruce to double check. One package I didn't check, but assume you know something about, is libguestfs :-). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c4
--- Comment #4 from Charles Arnold
(In reply to Cédric Bosdonnat from comment #1)
Jim, Mike, do we have some other setuid tools that could go in a virtualization-specific group? I don't have any in mind ATM...
I thought libvirt had a straggler, but if so I can't find it now. Perhaps I'm thinking of an old lxc tool. I also quickly checked sanlock, vhostmd, xen, and qemu and only found /usr/lib/qemu-bridge-helper from the qemu-tools package. Xen and qemu are quite large though, so let's add Charles and Bruce to double check.
Poking around I don't see anything that Xen creates that uses setuid permissions. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c5
--- Comment #5 from Cédric Bosdonnat
I thought libvirt had a straggler, but if so I can't find it now. Perhaps I'm thinking of an old lxc tool. I also quickly checked sanlock, vhostmd, xen, and qemu and only found /usr/lib/qemu-bridge-helper from the qemu-tools package.
That one tool is already in the kvm group... I think I'll add the spice-client-glib-usb-acl-helper in either the libvirt or the kvm group. May be the kvm one would be better since users may get KVM + spice without libvirt. (In reply to James Fehlig from comment #3)
One package I didn't check, but assume you know something about, is libguestfs :-).
Just checked, but libguestfs has no setuid bit set and nothing where that would be needed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c6
--- Comment #6 from Matthias Gerstner
That one tool is already in the kvm group... I think I'll add the spice-client-glib-usb-acl-helper in either the libvirt or the kvm group. May be the kvm one would be better since users may get KVM + spice without libvirt.
I'd also vote for the kvm group since it refers more generically to virtualization while libvirt is a special package concerned with virtualization. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c7
--- Comment #7 from James Fehlig
That one tool is already in the kvm group... I think I'll add the spice-client-glib-usb-acl-helper in either the libvirt or the kvm group. May be the kvm one would be better since users may get KVM + spice without libvirt.
Xen+libvirt supports spice too. ATM only a subset of the qemu+libvirt features are supported. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c8
--- Comment #8 from James Fehlig
I'd also vote for the kvm group since it refers more generically to virtualization while libvirt is a special package concerned with virtualization.
It's the other way around. KVM is a specific hypervisor technology, whereas libvirt provides a hypervisor abstraction. But WRT this bug, I'm fine with either group. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c9
--- Comment #9 from Matthias Gerstner
It's the other way around. KVM is a specific hypervisor technology, whereas libvirt provides a hypervisor abstraction. But WRT this bug, I'm fine with either group.
Agreed. Still it feels strange to use the libvirt group for spice-gtk when it doesn't have anything to do with libvirt per se. The same is probably true for kvm then though. Security wise either group will do. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c10
--- Comment #10 from Bruce Rogers
(In reply to Cédric Bosdonnat from comment #1)
Jim, Mike, do we have some other setuid tools that could go in a virtualization-specific group? I don't have any in mind ATM...
I thought libvirt had a straggler, but if so I can't find it now. Perhaps I'm thinking of an old lxc tool. I also quickly checked sanlock, vhostmd, xen, and qemu and only found /usr/lib/qemu-bridge-helper from the qemu-tools package. Xen and qemu are quite large though, so let's add Charles and Bruce to double check.
One package I didn't check, but assume you know something about, is libguestfs :-).
I think the bridge helper is the only one from the qemu side. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c11
--- Comment #11 from Bruce Rogers
That one tool is already in the kvm group... I think I'll add the spice-client-glib-usb-acl-helper in either the libvirt or the kvm group. May be the kvm one would be better since users may get KVM + spice without libvirt.
The kvm group comes with both the qemu related tools and helpers via the qemu-tools package, as well as qemu package proper. I'd be ok with the spice helper relying on the kvm group for this. I think a dependency on the qemu-tools package for that should be fine. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c12
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c13
--- Comment #13 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c14
--- Comment #14 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c17
Cédric Bosdonnat
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c18
--- Comment #18 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c19
--- Comment #19 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c20
--- Comment #20 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1101420
http://bugzilla.suse.com/show_bug.cgi?id=1101420#c21
--- Comment #21 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com