[Pkg-libvirt-maintainers] Bug#862340: minimize security risk due to dnsmasq running as nobody

[Christian Ehrhardt]

Package: libvirt
Version: 3.0.0-4
Severity: normal

Hi libvirt Maintainers,

This change is about further limiting the potential fallout if a guest can
break into the dnsmasq it can reach - there currently running as nobody it
can reach other "nobodies".  The preferred solution is to run it as a
service-specific system user. In this case, because there may be multiple
dnsmasq daemons running, a separate libvirt-dnsmasq user (the dnsmasq
package itself runs the dnsmasq daemon under a system user called
unsurprisingly 'dnsmasq').

I was updating the old contribution of Serge to match latest Debian and
newer libvirt. I also ran several test builds on various architectures to
ensure nothing breaks in this that I'd miss.

Also this is another patch we have carried in Ubuntu for a while - so it
should be considered somewhat safe and tested, and I think it will
certainly benefit Debian as well.

P.S. I was thinking on reusing the dnsmasq user that is added by dnsmasq
package itself, but then since the original suggestion to intentionally
make it a libvirt-dnsmasq I punted that for now. Yet OTOH it would allow to
not have to take the user add snippet in the postinst - I'd leave it up to
you if you prefere the dnsmasq user of the package or the more specific
libvirt-dnsmasq user.

-- 
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20170511/28d0a9d9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-security-run-dnsmasq-as-libvirt-dnsmasq-user.patch
Type: text/x-patch
Size: 9334 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20170511/28d0a9d9/attachment.bin>