QEMU-KVM Security

e100 · Apr 18, 2014

Why does Proxmox run KVM process as root?

An exploit in KVM could allow execution of code in the host running as the user of the KVM process.
It would be much more secure to run KVM processes as an un-privlidged user.

Also, I noticed Debian issued a KVM related security patch today, is Proxmox already patched?
CVE-2014-0150

mo_ · Apr 19, 2014

probably relates to this: http://seclists.org/oss-sec/2014/q2/116

e100 · Apr 21, 2014

If KVM was running as a non-root user then such an exploit would be less of a concern.

Being able to crash the guest or gain access to the host as a non-provlidged user is one thing
Gaining root access through a guest exploit is a quite different situation.

If the guest is running as root already then the hardest part of gaining root access on the host is already done for the hacker.

dietmar · Apr 22, 2014

I just uploaded a fix to pvetest repository:

ftp://download.proxmox.com/debian/dists/wheezy/pvetest/binary-amd64/pve-qemu-kvm_1.7-8_amd64.deb

Please use the pve-devel list if you want to discuss development related issues.

Search

Search

QEMU-KVM Security

e100

Famous Member

mo_

Renowned Member

e100

Famous Member

dietmar

Proxmox Staff Member

We value your privacy