`microvm` user is in the `disk` group

[romner-set]

I'm currently using QEMU with virtiofs mounts and I just noticed that the microvm user the VMs are being run as is in the disk group, and therefore has full read-write access to basically all disks and unlocked ZFS volumes. I'm not familiar enough with QEMU/KVM to say whether this can be easily fixed (or whether it's even a problem in the first place), but it seems like a huge potential security vulnerability.

[romner-set]

Just tried stopping all VMs, running usermod -rG disk microvm and restarting them, so far everything seems to work fine. I'm probably missing something since the group has to be there for a reason, but at least in my specific config putting the user in the disk group seems unnecessary.

The relevant code has a comment stating "allow access to zvol", which... doesn't clarify much.

[astro]

That was out of convenience because I use ZFS volumes in microvm.volumes.

You are right, I am going to remove it. Any ideas how we can communicate that breaking change?

[romner-set]

I think it'd be best if there was some kind of check in place that'd make sure the microvm user has r/w access to all specified volumes (if any) and prints a warning if it doesn't, that should both alert anyone who needs to change something and make sure that future configs work as intended.

[astro]

As there are multiple solutions to allowing block device access (user extraGroup or udev rules), we cannot check disk permissions at build time. At runtime the VMM will error anyway.

I've added some documentation. The next release will be breaking anyway.