forked from pool/libvirt
9b252d2501
- admin: reject clients unless their UID matches the server UID CVE-2019-10132 96f41cd7-admin-reject-clients.patch, f111e094-locking-restrict-sockets-to-mode-0600.patch, e37bd65f-logging-restrict-sockets-to-mode-0600.patch bsc#1134348 OBS-URL: https://build.opensuse.org/request/show/704536 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=756
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
commit f111e09468693909b1f067aa575efdafd9a262a1
|
|
Author: Daniel P. Berrangé <berrange@redhat.com>
|
|
Date: Tue Apr 30 16:51:37 2019 +0100
|
|
|
|
locking: restrict sockets to mode 0600
|
|
|
|
The virtlockd daemon's only intended client is the libvirtd daemon. As
|
|
such it should never allow clients from other user accounts to connect.
|
|
The code already enforces this and drops clients from other UIDs, but
|
|
we can get earlier (and thus stronger) protection against DoS by setting
|
|
the socket permissions to 0600
|
|
|
|
Fixes CVE-2019-10132
|
|
|
|
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
|
Index: libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
|
|
===================================================================
|
|
--- libvirt-5.3.0.orig/src/locking/virtlockd-admin.socket.in
|
|
+++ libvirt-5.3.0/src/locking/virtlockd-admin.socket.in
|
|
@@ -5,6 +5,7 @@ Before=libvirtd.service
|
|
[Socket]
|
|
ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
|
|
Service=virtlockd.service
|
|
+SocketMode=0600
|
|
|
|
[Install]
|
|
WantedBy=sockets.target
|
|
Index: libvirt-5.3.0/src/locking/virtlockd.socket.in
|
|
===================================================================
|
|
--- libvirt-5.3.0.orig/src/locking/virtlockd.socket.in
|
|
+++ libvirt-5.3.0/src/locking/virtlockd.socket.in
|
|
@@ -4,6 +4,7 @@ Before=libvirtd.service
|
|
|
|
[Socket]
|
|
ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
|
|
+SocketMode=0600
|
|
|
|
[Install]
|
|
WantedBy=sockets.target
|