Fedora Account System
Red Hat Associate
Red Hat Customer
When qmp_guest_ssh_add_authorized_keys adds an SSH key for an existing local user, the agent (running as root) decides whether to create the user's .ssh directory with a symlink-following directory test, and then writes and chowns the authorized_keys file using a plain chown (not lchown). A local unprivileged user who owns their home directory can pre-stage their .ssh directory (or the authorized_keys file) as a symbolic link so that, when the host or operator triggers a key add for that user, the root agent follows the link and transfers ownership of an arbitrary root-owned file or directory to the unprivileged user, who can then rewrite it to obtain root. Patch: https://patchew.org/QEMU/20260709105707.91209-1-kkostiuk@redhat.com/