qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU


From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU vulnerability
Date: Thu, 16 Jun 2011 06:16:46 +0100

On Wed, Jun 15, 2011 at 7:16 PM, Venkateswararao Jujjuri
<address@hidden> wrote:
> On 06/15/2011 10:35 AM, Stefan Hajnoczi wrote:
>>
>> On Tue, Jun 14, 2011 at 9:12 AM, M. Mohan Kumar<address@hidden>  wrote:
>>>
>>> [RFC PATCH] virtio-9p: Use clone approach to fix TOCTOU vulnerability
>>>
>>> In passthrough security model, following a symbolic link in the server
>>> side could result in TOCTTOU vulnerability.
>>>
>>> Use clone system call to create a thread which runs in chrooted
>>> environment. All passthrough model file operations are done from this
>>> thread to avoid TOCTTOU vulnerability.
>>
>> How will chroot(2) work when QEMU runs as non-root (i.e. secure
>> production environments)?
>>
> This is used only in passthrough mode; passthrough mode needs root access by
> design.
> There is no TOCTTOU vulnerability in mapped mode as symlinks are not actual
> symlinks on host FS.

So is passthrough mode something you only expect developers and
one-off command-line users to try?  I expect users would not want to
run QEMU as root in production.

Regarding mapped mode, I think jailing problems still exist there
since the guest could send a path that contains "../../../../.." and
escape the fs_root?

Stefan



reply via email to

[Prev in Thread] Current Thread [Next in Thread]