Bug 1033614

Summary: Create a dedicated group for virt-login-shell
Product: Red Hat Enterprise Linux 7 Reporter: Jiri Denemark <jdenemar>
Component: libvirtAssignee: Jiri Denemark <jdenemar>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: acathrow, dyuan, hliu, lcui, mjenner, mzhan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-1.1.1-13.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:22:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jiri Denemark 2013-11-22 13:56:54 UTC
Description of problem:

As virt-login-shell is an SUID binary, we should restrict its usage to just the users chosen by an administrator to use virt-login-shell as their login shell. This can easily be done by making the binary executable only by users from a new virtlogin group.


Version-Release number of selected component (if applicable):

libvirt-1.1.1-12.el7

How reproducible:

100%

Steps to Reproduce:
1. rpmls -l libvirt-login-shell-1.1.1-*.el7
2. ls -l /usr/bin/virt-login-shell

Actual results:

-rwsr-xr-x. 1 root root /usr/bin/virt-login-shell

Expected results:

-rwsr-x---. 1 root virtlogin /usr/bin/virt-login-shell

Comment 1 Jiri Denemark 2013-11-22 14:26:10 UTC
Fixed upstream by v1.1.4-138-g0ee2364:

commit 0ee2364319c4b11d7e5eca5856d458b24a900024
Author: Jiri Denemark <jdenemar>
Date:   Fri Nov 22 12:13:03 2013 +0100

    spec: Restrict virt-login-shell usage
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1033614
    
    As virt-login-shell is an SUID binary, we should restrict its usage to
    just the users chosen by an administrator to use virt-login-shell as
    their login shell. This can easily be done by making the binary
    executable only by users from a new virtlogin group.

Comment 3 Hao Liu 2013-11-25 07:52:37 UTC
VERIFIED this fix:

Verification process:
for libvirt-login-shell-1.1.1-12.el7.x86_64:

# rpmls -l libvirt-login-shell-1.1.1-*.el7
-rw-r--r--  root     root     /etc/libvirt/virt-login-shell.conf
-rwsr-xr-x  root     root     /usr/bin/virt-login-shell
-rw-r--r--  root     root     /usr/share/man/man1/virt-login-shell.1.gz

# ls -l /usr/bin/virt-login-shell
-rwsr-xr-x. 1 root root 827144 Nov  8 23:23 /usr/bin/virt-login-shell

for libvirt-login-shell-1.1.1-13.el7.x86_64:
# rpmls -l libvirt-login-shell-1.1.1-*.el7
-rw-r--r--  root     root     /etc/libvirt/virt-login-shell.conf
-rwsr-x---  root     virtlogin /usr/bin/virt-login-shell
-rw-r--r--  root     root     /usr/share/man/man1/virt-login-shell.1.gz

# ls -l /usr/bin/virt-login-shell
-rwsr-x---. 1 root virtlogin 827168 Nov 23 00:17 /usr/bin/virt-login-shell

So this bug is fix in libvirt-login-shell-1.1.1-13.el7.

Comment 4 Ludek Smid 2014-06-13 09:22:10 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.