Bug 1033614 - Create a dedicated group for virt-login-shell
Summary: Create a dedicated group for virt-login-shell
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jiri Denemark
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-22 13:56 UTC by Jiri Denemark
Modified: 2014-06-18 00:59 UTC (History)
6 users (show)

Fixed In Version: libvirt-1.1.1-13.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 09:22:10 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jiri Denemark 2013-11-22 13:56:54 UTC 
Description of problem:

As virt-login-shell is an SUID binary, we should restrict its usage to just the users chosen by an administrator to use virt-login-shell as their login shell. This can easily be done by making the binary executable only by users from a new virtlogin group.


Version-Release number of selected component (if applicable):

libvirt-1.1.1-12.el7

How reproducible:

100%

Steps to Reproduce:
1. rpmls -l libvirt-login-shell-1.1.1-*.el7
2. ls -l /usr/bin/virt-login-shell

Actual results:

-rwsr-xr-x. 1 root root /usr/bin/virt-login-shell

Expected results:

-rwsr-x---. 1 root virtlogin /usr/bin/virt-login-shell
Comment 1 Jiri Denemark 2013-11-22 14:26:10 UTC 
Fixed upstream by v1.1.4-138-g0ee2364:

commit 0ee2364319c4b11d7e5eca5856d458b24a900024
Author: Jiri Denemark <jdenemar>
Date:   Fri Nov 22 12:13:03 2013 +0100

    spec: Restrict virt-login-shell usage
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1033614
    
    As virt-login-shell is an SUID binary, we should restrict its usage to
    just the users chosen by an administrator to use virt-login-shell as
    their login shell. This can easily be done by making the binary
    executable only by users from a new virtlogin group.
Comment 3 Hao Liu 2013-11-25 07:52:37 UTC 
VERIFIED this fix:

Verification process:
for libvirt-login-shell-1.1.1-12.el7.x86_64:

# rpmls -l libvirt-login-shell-1.1.1-*.el7
-rw-r--r--  root     root     /etc/libvirt/virt-login-shell.conf
-rwsr-xr-x  root     root     /usr/bin/virt-login-shell
-rw-r--r--  root     root     /usr/share/man/man1/virt-login-shell.1.gz

# ls -l /usr/bin/virt-login-shell
-rwsr-xr-x. 1 root root 827144 Nov  8 23:23 /usr/bin/virt-login-shell

for libvirt-login-shell-1.1.1-13.el7.x86_64:
# rpmls -l libvirt-login-shell-1.1.1-*.el7
-rw-r--r--  root     root     /etc/libvirt/virt-login-shell.conf
-rwsr-x---  root     virtlogin /usr/bin/virt-login-shell
-rw-r--r--  root     root     /usr/share/man/man1/virt-login-shell.1.gz

# ls -l /usr/bin/virt-login-shell
-rwsr-x---. 1 root virtlogin 827168 Nov 23 00:17 /usr/bin/virt-login-shell

So this bug is fix in libvirt-login-shell-1.1.1-13.el7.
Comment 4 Ludek Smid 2014-06-13 09:22:10 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.