System libvirt-dbus broken after changing libvirtd.socket SocketMode to 0660
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt-dbus (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Recently a security issue was fixed by setting libvirt's socket permissions to 0660. See https:/
This completely breaks libvirt-dbus system connection.
root@ubuntu:~# gdbus call --system --dest org.libvirt --object-path /org/libvirt/QEMU --method org.libvirt.
Error: GDBus.Error:
That is because libvirt-sock by default allows rw access to users that are in the libvirt group.
root@ubuntu:~# ls -la /var/run/
srw-rw---- 1 root libvirt 0 Aug 24 15:33 /var/run/
However libvirt-dbus system process is running as libvirtdbus/
root@ubuntu:~# ps aux | grep libvirt-dbus
\libvirt+ 6813 0.0 1.6 363436 18892 ? Sl 15:33 0:00 /usr/sbin/
root 7207 0.0 0.0 8164 672 pts/0 S+ 15:35 0:00 grep --color=auto libvirt-dbus
root@ubuntu:~# cat /proc/6813/status | grep Uid
Uid: 996 996 996 996
root@ubuntu:~# cat /proc/6813/status | grep Gid
Gid: 996 996 996 996
root@ubuntu:~# cat /etc/group | grep 996
libvirtdbus:x:996:
root@ubuntu:~# id libvirtdbus
uid=996(
And that user/group combination can't talk to the libvirtd.socket.
I fixed it on my system, by usermod -a -G libvirt libvirtdbus. I would expect some documented solution, if not a fix.
root@ubuntu:~# dpkg-query --show libvirt-dbus
libvirt-dbus 1.3.0-1
root@ubuntu:~# dpkg-query --show libvirt-daemon
libvirt-daemon 6.0.0-0ubuntu8.3
Ubuntu VERSION="20.04.1 LTS (Focal Fossa)"
tags: | added: focal |
ISTM that adding the libvirt-dbus user into the libvirt group is the right fix here. According to /usr/share/ dbus-1/ system. d/org.libvirt. conf only root and libvirt group users can call its interface. So that useradd seems correct to me, and it should be put into the Debian package.
Unfortunately libvirt-dbus does not use systemd to manage its service, otherwise it could use DynamicUser= and SupplementaryGr oups=libvirt.