Bug 2066775

Summary: The /tmp/v2v.XXXX directory has incorrect permisison if run v2v by root
Product: Red Hat Enterprise Linux 9 Reporter: Xiaodai Wang <xiaodwan>
Component: virt-v2vAssignee: Richard W.M. Jones <rjones>
Status: CLOSED ERRATA QA Contact: Xiaodai Wang <xiaodwan>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: juzhou, kkiwi, lersek, mxie, pvlasin, rjones, tyan, tzheng, virt-bugs, virt-maint, vwu
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: virt-v2v-1.45.99-2.el9_0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2066773
: 2068136 (view as bug list) Environment:
Last Closed: 2022-05-17 13:42:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2066773    
Bug Blocks: 2068136    
Deadline: 2022-04-04   

Comment 1 Richard W.M. Jones 2022-03-23 13:32:20 UTC 
Requesting exception for this bug.  It is fixed upstream in
the following commits:

8de0ed72db nbdkit, qemuNBD: run_unix: formally require externally provided socket
4e7f206843 lib: Improve security of in/out sockets when running virt-v2v as root
f44c8d2e81 lib/nbdkit.ml: Correct copy/paste error in comment
88aaf8263a v2v: Move creation of v2v directory until after option parsing
5a60e9a4f6 lib, v2v: Move common code for creating v2v directory to Utils
c208bc97d8 lib: Remove Utils.metaversion
(refer to: https://github.com/libguestfs/virt-v2v/commits/master)

The code fix is not particularly complicated, but it will require careful testing
because it relies on fetching usernames from libvirt metadata and chowning
the directory etc.

If we don't fix this in RHEL 9.0 then there will technically be a security
bug in the case when root does a virt-v2v conversion on a shared machine with
untrusted non-root users.  The users will be able to read and modify data inside
the guests undergoing v2v conversion.  This is a somewhat unlikely scenario, but
possible.  It doesn't affect non-root uses of virt-v2v, and TBH you shouldn't
be running virt-v2v as root, but unfortunately containers do that.

I can do the build as soon as the exception is granted.

RHEL 9.1 bug: https://bugzilla.redhat.com/show_bug.cgi?id=2066773
Does not affect RHEL 8 or AV.
Comment 7 Richard W.M. Jones 2022-03-24 17:29:02 UTC 
https://src.osci.redhat.com/rpms/virt-v2v/pull-request/2
Comment 12 Xiaodai Wang 2022-03-29 03:46:43 UTC 
See the testing in comment 5.

Besides that, the v2v automation jobs were triggered to make sure no regression issues. 

See the jobs:
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/v2v/view/RHEL-9.0/job/v2v-RHEL-9.0-runtest-x86_64-function-function_test_xen-rhel/11/testReport/rhel/function_test_xen/
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/v2v/view/RHEL-9.0/job/v2v-RHEL-9.0-runtest-x86_64-function-convert_from_file-rhel/8/testReport/rhel/convert_from_file/
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/v2v/view/RHEL-9.0/job/v2v-RHEL-9.0-runtest-x86_64-function-function_test_esx-rhel/13/testReport/rhel/function_test_esx/

The failure cases were checked and they were known issues which are not related to this bug.

so I think this bug can be moved to VERIFIED.
Comment 14 errata-xmlrpc 2022-05-17 13:42:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: virt-v2v), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:2566