libvirt-dnsmasq user should not be in group libvirt

Bug #1690729 reported by Christian Ehrhardt 
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libvirt
New
Unknown
libvirt (Ubuntu)
Fix Released
Medium
Christian Ehrhardt 

Bug Description

The Ubuntu Delta adds to run the dnsmasq for guest bridges as a separate user for better isolation (good).
But it adds it to group libvirt which is too much power, in some sense almost increasing the power of that service instead of lowering it.

Not so sure on SRUing user modifications, but at least on the next merge we should make sure to also create a libvirt-dnsmasq group, make the user part of that and be really safe then.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Also mod/long term this patch should become an upstream configure option.
That would:
1. allow to rely on it more
2. drop the delta patching the file
3. ease maintenance as we currently have to modify a lot of testcases (those would depend on the config then and change accordingly)

Changed in libvirt (Ubuntu):
status: New → Triaged
assignee: nobody → ChristianEhrhardt (paelzer)
importance: Undecided → Medium
Changed in libvirt:
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (14.4 KiB)

This bug was fixed in the package libvirt - 3.5.0-1ubuntu1

---------------
libvirt (3.5.0-1ubuntu1) artful; urgency=medium

  * Merged with Debian unstable (3.5)
    This closes several bugs:
    - improved handling of host-model since libvirt 3.2 (LP: #1673467)
    - Adding POWER9 cpu model to cpu_map.xml (LP: #1690209)
  * Remaining changes:
    - Disable sheepdog (universe dependency)
    - Disable libssh2 support (universe dependency)
    - Disable firewalld support (universe dependency)
    - Disable selinux
    - Enable esx support
      + Add build-dep to libcurl4-gnutls-dev (required for esx)
    - Set qemu-group to kvm (for compat with older ubuntu)
    - Regularly clear AppArmor profiles for vms that no longer exist
    - Additional apport package-hook
    - Modifications to adapt for our delayed switch away from libvirt-bin (can
      be dropped >18.04).
      + d/p/ubuntu/libvirtd-service-add-bin-alias.patch: systemd: define alias
        to old service name so that old references work
      + d/p/ubuntu/libvirtd-init-add-bin-alias.patch: sysv init: define alias
        to old service name so that old references work
      + d/control: transitional package with the old name and maintainer
        scripts to handle the transition
    - Backwards compatible handling of group rename (can be dropped >18.04).
    - config details and autostart of default bridged network. Creating that is
      now the default in general, yet our solution provides the following on
      top as of today:
      + nat only on some ports <port start='1024' end='65535'/>
      + autostart the default network by default
      + do not autostart if 192.168.122.0 is already taken (e.g. in containers)
    - d/p/ubuntu/Allow-libvirt-group-to-access-the-socket.patch: This is
      the group based access to libvirt functions as it was used in Ubuntu
      for quite long.
      + d/p/ubuntu/daemon-augeas-fix-expected.patch fix some related tests
        due to the group access change.
    - ubuntu/parallel-shutdown.patch: set parallel shutdown by default.
    - d/p/ubuntu/enable-kvm-spice.patch: compat with older Ubuntu qemu/kvm
      which provided a separate kvm-spice.
    - d/p/ubuntu/storage-disable-gluster-test: gluster not enabled, skip test
    - d/p/ubuntu/ubuntu-libxl-qemu-path.patch: this change was split. The
      section that adapts the path of the emulator to the Debian/Ubuntu
      packaging is kept.
    - d/p/ubuntu/ubuntu-libxl-Fix-up-VRAM-to-minimum-requirements.patch: auto
      set VRAM to minimum requirements
    - d/p/ubuntu/xen-default-uri.patch: set default URI on xen hosts
    - Add libxl log directory
    - libvirt-uri.sh: Automatically switch default libvirt URI for users on
      Xen dom0 via user profile (was missing on changelogs before)
    - d/p/ubuntu/apibuild-skip-libvirt-common.h: drop libvirt-common.h from
      included_files to avoid build failures due to duplicate definitions.
    - Update README.Debian with Ubuntu changes
    - Convert libvirt0, libnss_libvirt and libvirt-dev to multi-arch.
    - Enable some additional features on ppc64el and s390x (for arch parity)
      + systemtap, zfs, numa and numad on s390x.
      + sys...

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.