It was discovered that libvirtd would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.
The Unix permissions of libvirt's read-only socket can be made more restrictive than the default (0777) by editing /etc/libvirt/libvirtd.conf
. The settings unix_sock_group = libvirt
and unix_sock_ro_perms = 0770
will restrict access to only members of libvirt
, who already have management access to virtual machines.