Re: qemu-user security trade-offs by dynamic configuration

To: John Scott <jscott@posteo.net>, debian-68k@lists.debian.org, debian-superh@lists.debian.org, security@debian.org, Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Subject: Re: qemu-user security trade-offs by dynamic configuration
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Sun, 24 Aug 2025 01:40:08 +0300
Message-id: <[🔎] b981cd16-102d-4e68-bf43-2376b0e74ce3@tls.msk.ru>
In-reply-to: <[🔎] 7e692a6cb26ed64004fe75854acb8e2512f72b10.camel@posteo.net>
References: <aKi6IWVX2uIlGKnw@seger.debian.org> <Pine.BSM.4.64L.2508230023030.21591@herc.mirbsd.org> <6abe2750-5e2c-43a1-be57-1dc2ccabdd91@tls.msk.ru> <[🔎] 119d5858-52f4-ce1b-9ee7-9615ce2054b9@debian.org> <[🔎] b9c3de733b99cabeecff8b50a7d57fd17b29a08e.camel@physik.fu-berlin.de> <[🔎] 2890f137-20fe-452f-bacd-cef360eeb548@tls.msk.ru> <[🔎] ca288b60-409e-ebc8-e436-23675dacfd96@debian.org> <[🔎] 43467334-39dd-488b-a9a8-f79199ba8b5a@tls.msk.ru> <[🔎] ebe17f44-462f-7c6f-c825-00e5657957a4@debian.org> <[🔎] 922d1c02-8316-40b6-ae53-7f15e1190f0b@tls.msk.ru> <[🔎] c8727035-5a44-2d82-fc0d-96956dee75fc@debian.org> <[🔎] 37f0a016-b68c-412e-b1ee-d5c8bfde54bd@tls.msk.ru> <[🔎] 7e692a6cb26ed64004fe75854acb8e2512f72b10.camel@posteo.net>

On 24.08.2025 01:00, John Scott wrote:


Hello,

Hi!

...an option that I haven't seen mentioned: how about using a low-priority (i.e. not shown by default) Debconf question to allow configuring the old behavior?


No. Just like with suid-root /bin/sh (or suid-root /bin/tee), there must
not be such option - not only in debconf, but in any readme files or any
other documentation.

qemu-user in its current way is not supposed to work in this mode.

In order to avoid complete system compromise through qemu-user, C flag,
and any foreign suid binary, you have to - very carefully - ensure that
such foreign suid-binary is not accessible to any user on the system.
Once any user has access to such binary, there are trivial steps to
have root.  Only the code which you trust can be run in this mode.

I believe this is an approach used by some network diagnostic tools in Debian (Wireshark and friends perhaps?). For example a tool that's rarely used and is only manually invoked by an experienced sysadmin might not have a compelling need for a set-UID bit or e.g. CAP_NET_RAW set, but for other respectable use cases such as automation, or when other security enhancements are in place, or on systems that are not mission-critical, an administrator/user may decide incurring a risk is acceptable or advances "the greater good".


wireshark is a complex software, yet it is written with being able to
run suid-root in mind, and whole thing was written very carefully.
We can't guarantee no bugs in all the (GUI and other) libraries it
uses, this is why it has an option to make it suid or not.

With qemu, it has NO security control watsoever, it has never been
written in contest of it being run in suid(root,whatever) environment.
The user completely controls which code qemu runs, and with C flag,
this code is run as root.

So it is completely different situation compared with wireshark, or
maybe gdisk (iirc, -- the gui util to partition your drive), and the
likes, - who was written with suid context in mind from the very
beginning.

I repeat.

If someone really wants the old behavior, it is trivial to restore
by using custom binfmt entry with the C flag.  But it must not be
done not only in debconf but in docs/readmes too.  And if want
adventures, you will find this (simple) way.  Just like you can
chmod u+s /bin/sh using dpkg-statoverride.

Somehow it feels like people can't grok the severity of this issue.

For the start, run (as non-root):

 QEMU_LOG_FILENAME=/etc/shadoww /foreign/chroot/bin/su

and hit Ctrl+C.  And see /etc/shadoww gets created.  After update,
it wont be created anymore.  And this usage of environment vars
is just a tip of the iceberg.  Whole qemu code is written in a way
which is not supposed to run anything security-sensitive.

Thanks,

/mjt

Reply to:

References:
- qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
  - From: Thorsten Glaser <tg@debian.org>
- Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Re: qemu-user viability
  - From: Thorsten Glaser <tg@debian.org>
- Re: qemu-user viability
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Re: qemu-user lost its entire viability
  - From: Thorsten Glaser <tg@debian.org>
- Re: qemu-user lost its entire viability
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Re: qemu-user lost its entire viability
  - From: Thorsten Glaser <tg@debian.org>
- Re: qemu-user lost its entire viability
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Re: qemu-user security trade-offs by dynamic configuration
  - From: John Scott <jscott@posteo.net>

Prev by Date: Re: qemu-user security trade-offs by dynamic configuration
Next by Date: Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
Previous by thread: Re: qemu-user security trade-offs by dynamic configuration
Next by thread: Re: qemu-user viability (was Re: [SECURITY] [DSA 5983-1] qemu security update)
Index(es):
- Date
- Thread