[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] docker VMM breakout
From: Sven Kieske <S.Kieske () mittwald ! de>
Date: 2014-06-18 13:39:49
Message-ID: 53A1971F.6010302 () mittwald ! de
[Download RAW message or body]
Am 18.06.2014 12:15, schrieb David Jorm:
> I tested libvirt via virsh and by default both CAP_DAC_READ_SEARCH and
> CAP_DAC_OVERRIDE are available (and thus the PoC does run). However,
> this default is well documented as is the general insecurity of libvirt
> in regards to DAC, so I don't think a CVE ID is required for libvirt.
I fail to see why this should be true.
On most distributions libvirt spawned vms do not run as root but as user
qemu or similar.
according to the documentation at:
http://libvirt.org/drvqemu.html#securitycap
this should imply that libvirt drops these capabilities.
Please correct me if I'm wrong.
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic