Bug 240266

Summary: Local Security problem in Virt-Manager
Product: Red Hat Enterprise Linux 5 Reporter: Hongbo Ni <hongbo>
Component: virt-managerAssignee: Daniel Berrangé <berrange>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: herrold
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-16 13:41:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hongbo Ni 2007-05-16 05:30:47 UTC
Description of problem:

If one user opens a Vitual Machine Consol for a Gest Domain and login as
root, the other user on the same sytem (domain-0) can see/control the same
Gest domain without enter any root passwd.

Version-Release number of selected component (if applicable):

Virt-Manager 0.2.6

How reproducible: Every Time


Steps to Reproduce:

0. Base System (Domain-0) is Centos x64 with Virtualization kernel installed.   
   Run Level=5
 * A para/full-virtualization guest (also CENTOS 5 x64, let's call it Domain-1) 
   has been installed on the system and works properly. Run Level=5
 * a normal user account is created on domain-0 called 'fred'.
   'fred' is allowed to login his own desktop locally or remotely via VNC.

1. User A (the root)

 * Login as 'root' to GNOME desktop of Domain-0, click menu Application - 
   System Tools - Virtual Machine Manager, 
 * Now you will see your guest Domain-1 is listed in the 'Virtual Machine  
   Manager' Window.
 * Double click Domain-1 in the list, 'Domain-1 Virtual Machine Console' is now 
opened.
 * Now you have login screen, let's Login as 'root' into Domain-1.
 * now leave 'Domain-1 Virtual Machine Console' on.

2. User B (fred)

 * Login using VNC viewer/client as user 'fred' to desktop of Domain-0,
   Or, since we allowed 'fred' to login, 'fred' can use any way to login his 
desktop. VNC is just an example to login to desktop.
 
 * 'fred' click menu Application - System Tools - Virtual Machine Manager,
 * when asked for 'Passwd for root', press the button 'Run as Unprivileged'
 * press 'Connect' to connect to local Xen host,
 * Now you will see guest Domain-1 is listed in the 'Virtual Machine Manager' 
Window.
 * Double click Domain-1 in the list, 
 * when asked for 'New Keyring Passwd', press 'Deny' button
 * 'Domain-1 Virtual Machine Console' is now open, It's exactly the same 
Console that user A(root) got. 'fred' can do anything to the domain-1 as root.

  
Actual results:

User B ('fred') got root access to the domain-1 without entering any root 
passwd. 

Expected results:

User B should not allow to have the same Virtual Machine Consol without
a valid pasaswd to the vitual machine.

Additional info:

Comment 1 Daniel Berrangé 2007-05-16 13:41:09 UTC

*** This bug has been marked as a duplicate of 240264 ***