Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:GA
libvirt.22293
b196f8fc-CVE-2020-15708-doc.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File b196f8fc-CVE-2020-15708-doc.patch of Package libvirt.22293
libvirtd.conf: Add a note about polkit auth in SUSE Polkit auth is enabled by default in SUSE distros. As a result, libvirt's read-write socket has SocketMode=0666. This would result in an insecure configuration if the user were to disable polkit. Add a note warning the user to change SocketMode if disabling polkit auth. See bsc#1174955 for more details. CVE-2020-15708 Inspired by upstream commit b196f8fcdd Index: libvirt-4.0.0/daemon/libvirtd.conf =================================================================== --- libvirt-4.0.0.orig/daemon/libvirtd.conf +++ libvirt-4.0.0/daemon/libvirtd.conf @@ -134,20 +134,29 @@ # is allowed read/only access. # # Set an authentication scheme for UNIX read-only sockets +# # By default socket permissions allow anyone to connect # -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here -#auth_unix_ro = "none" +# SUSE note: +# Polkit is the default authentication scheme for the read-only +# socket. libvirt will authenticate read-only socket connections +# with polkit, but the default polkit policy allows any local +# user access to libvirt's monitoring APIs. +# +# To restrict monitoring of domains you may wish to either +# enable 'sasl' here, or change the polkit policy definition. +#auth_unix_ro = "polkit" # Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. -# -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -#auth_unix_rw = "none" +# +# SUSE note: +# Polkit is the default authentication scheme for the read-write +# socket. The permissions of unix_sock_rw_perms is set to 0777, +# which allows any user to connect. However, the default polkit +# policy will only authenticate the root user. If you disable use +# of 'polkit' here, then it is essential to change +# unix_sock_rw_perms to 0600 to avoid an insecure configuration. +#auth_unix_rw = "polkit" # Change the authentication scheme for TCP sockets. #
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor