cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject KVM securing root
Date Thu, 23 Apr 2015 23:17:09 GMT
Has anyone had experience with securing the KVM agent, specifically
getting it to run as non-root. I've looked a bit, and I believe it
would require code changes.  An initial, simple plan for this (that
involves code fixes) might be to do something like:

1) generate a list of included scripts during packaging and create a
file for /etc/sudoers.d to allow a cloudstack user to run these. User
and sudoers file are added by the package (?)
2) make sure the libvirt socket is owned by the cloudstack group in
/etc/libvirt/libvirtd.conf
3) change the code to pass the sudo boolean to every Script command
4) audit for any other hardcoded root paths (e.g. the ssh keys dir) or
system commands needed
5) change init script to launch agent as cloudstack user

Obviously this doesn't go all the way into auditing how all of the
scripts act, or path issues, etc, but it could be a good first step.
It would protect against malicious strings passed as parameters to
these scripts, but perhaps not in cases were they might be escaped at
the first exec and run by the script itself.

Alternatively, we could audit all of the scripts, adding sudo where
necessary and manually including those into a sudoers.d config.

As an in-between, we could add all of the packaged scripts to a
sudoers file, and remove them slowly as we audit each script.

Mime
View raw message