Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP1
libvirt.22292
b196f8fc-CVE-2020-15708-doc.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File b196f8fc-CVE-2020-15708-doc.patch of Package libvirt.22292
libvirtd.conf: Add a note about polkit auth in SUSE Polkit auth is enabled by default in SUSE distros. As a result, libvirt's read-write socket has SocketMode=0666. This would result in an insecure configuration if the user were to disable polkit. Add a note warning the user to change SocketMode if disabling polkit auth. See bsc#1174955 for more details. CVE-2020-15708 Inspired by upstream commit b196f8fcdd Index: libvirt-5.1.0/src/remote/libvirtd.conf =================================================================== --- libvirt-5.1.0.orig/src/remote/libvirtd.conf +++ libvirt-5.1.0/src/remote/libvirtd.conf @@ -134,20 +134,29 @@ # is allowed read/only access. # # Set an authentication scheme for UNIX read-only sockets +# # By default socket permissions allow anyone to connect # -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here -#auth_unix_ro = "none" +# SUSE note: +# Polkit is the default authentication scheme for the read-only +# socket. libvirt will authenticate read-only socket connections +# with polkit, but the default polkit policy allows any local +# user access to libvirt's monitoring APIs. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +#auth_unix_ro = "polkit" # Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. -# -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -#auth_unix_rw = "none" +# +# SUSE note: +# Polkit is the default authentication scheme for the read-write +# socket. The permissions of unix_sock_rw_perms is set to 0777, +# which allows any user to connect. However, the default polkit +# policy will only authenticate the root user. If you disable use +# of 'polkit' here, then it is essential to change +# unix_sock_rw_perms to 0600 to avoid an insecure configuration. +#auth_unix_rw = "polkit" # Change the authentication scheme for TCP sockets. # Index: libvirt-5.1.0/src/remote/test_libvirtd.aug.in =================================================================== --- libvirt-5.1.0.orig/src/remote/test_libvirtd.aug.in +++ libvirt-5.1.0/src/remote/test_libvirtd.aug.in @@ -14,8 +14,8 @@ module Test_libvirtd = { "unix_sock_rw_perms" = "0770" } { "unix_sock_admin_perms" = "0700" } { "unix_sock_dir" = "/var/run/libvirt" } - { "auth_unix_ro" = "none" } - { "auth_unix_rw" = "none" } + { "auth_unix_ro" = "polkit" } + { "auth_unix_rw" = "polkit" } { "auth_tcp" = "sasl" } { "auth_tls" = "none" } { "access_drivers"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor