qemu/docs
Daniel P. Berrangé 4f24430821 doc: document that the monitor console is a privileged control interface
A supposed exploit of QEMU was recently announced as CVE-2019-12928
claiming that the monitor console was insecure because the "migrate"
command enabled arbitrary command execution for a remote attacker.

To be a security risk the user launching QEMU must have configured
the monitor in a way that allows for other users to access it. The
exploit report quoted use of the "tcp" character device backend for
QMP.

This would indeed allow any network user to connect to QEMU and
execute arbitrary commands, however, this is not a flaw in QEMU.
It is the normal expected behaviour of the monitor console and the
commands it supports. Given a monitor connection, there are many
ways to access host file system content besides the migrate command.

The reality is that the monitor console (whether QMP or HMP) is
considered a privileged interface to QEMU and as such must only
be made available to trusted users. IOW, making it available with
no authentication over TCP is simply a, very serious, user
configuration error not a security flaw in QEMU itself.

The one thing this bogus security report highlights though is that
we have not clearly documented the security implications around the
use of the monitor. Add a few paragraphs of text to the security
docs explaining why the monitor is a privileged interface and making
a recommendation to only use the UNIX socket character device backend.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-19 14:21:08 +01:00
..
config docs: Grammar and spelling fixes 2018-07-13 10:16:04 +01:00
devel Fix typo, change virtio-rng default to urandom 2019-07-05 16:16:15 +01:00
interop docs/bitmaps: use QMP lexer instead of json 2019-07-10 15:08:07 -04:00
specs xics/spapr: Detect old KVM XICS on POWER9 hosts 2019-07-02 09:43:58 +10:00
sphinx sphinx: add qmp_lexer 2019-07-10 15:08:06 -04:00
spin
amd-memory-encryption.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
block-replication.txt
bootindex.txt
can.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
ccid.txt
COLO-FT.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
colo-proxy.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
conf.py sphinx: add qmp_lexer 2019-07-10 15:08:06 -04:00
cpu-hotplug.rst docs/cpu-hotplug.rst: Fix rST markup issues 2019-03-07 14:26:44 +00:00
generic-loader.txt docs/generic-loader: mention U-Boot and Intel HEX executable formats 2018-08-20 11:24:31 +01:00
hyperv.txt i386/kvm: add support for Direct Mode for Hyper-V synthetic timers 2019-06-21 02:29:39 +02:00
igd-assign.txt
image-fuzzer.txt
index.rst docs: provide documentation on the POWER9 XIVE interrupt controller 2019-05-29 11:39:47 +10:00
memory-hotplug.txt docs: Grammar and spelling fixes 2018-07-13 10:16:04 +01:00
multi-thread-compression.txt Replace '-enable-kvm' with '-accel kvm' in docs and help texts 2018-06-28 19:05:32 +02:00
multiseat.txt tests/docker/test-mingw and docs: Remove --with-sdlabi=2.0 2019-02-04 15:25:21 +00:00
nvdimm.txt util/mmap-alloc: support MAP_SYNC in qemu_ram_mmap() 2019-04-25 14:17:36 -03:00
pci_expander_bridge.txt
pcie_pci_bridge.txt
pcie.txt
pr-manager.rst
pvrdma.txt hw/pvrdma: Remove max-sge command-line param 2019-01-19 10:31:24 +02:00
qcow2-cache.txt qcow2: Default to 4KB for the qcow2 cache entry size 2019-03-08 12:26:45 +01:00
qdev-device-use.txt qemu-options: Remove deprecated "-virtioconsole" option 2019-02-05 16:50:19 +01:00
qemu_logo.pdf
qemu-block-drivers.texi ssh: switch from libssh2 to libssh 2019-06-24 16:01:04 +02:00
qemu-cpu-models.texi docs: recommend use of md-clear feature on all Intel CPUs 2019-05-21 15:39:05 -03:00
qemupciserial.inf docs: Grammar and spelling fixes 2018-07-13 10:16:04 +01:00
rdma.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
replay.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
security.texi doc: document that the monitor console is a privileged control interface 2019-07-19 14:21:08 +01:00
spice-port-fqdn.txt
throttle.txt
usb2.txt docs/usb2.txt: ehci has six ports 2018-08-21 10:22:03 +02:00
usb-storage.txt
vfio-ap.txt doc: fix typos for documents in tree 2019-03-06 10:40:21 +01:00
virtio-balloon-stats.txt Remove the deprecated -balloon option 2018-08-31 09:52:13 +02:00
xbzrle.txt
xen-save-devices-state.txt