About Security

See also: Authentication, How to authenticate clients with the Multipass service, authenticate, local.passphrase

Multipass runs a daemon that is accessed locally via a Unix socket on Linux and macOS, and over a TLS socket on Windows. Anyone with access to the socket can fully control Multipass, which includes mounting host file systems or to tweaking the security features for all instances.

Therefore, make sure to restrict access to the daemon to trusted users.

Local access to the Multipass daemon

The Multipass daemon runs as root and provides a Unix socket for local communication. Access control for Multipass is initially based on group membership and later by the client’s TLS certificate when accepted by providing a set passphrase.

The first client to connect that is a member of the sudo group (or wheel/adm, depending on the OS) will automatically have its TLS certificate imported into the Multipass daemon and will be authenticated to connect. After this, any other client connecting will need to authenticate first by providing a passphrase set by the administrator.

Errors or typos? Topics missing? Hard to read? Let us know or open an issue on GitHub.

Could it be mentioned that Multipass is intended for development and not for production in this security policy? The development-only scope is hinted at in the projects README, but I believe mentioning this here would help justify Multipass’ security scope.

Hi @eslerm!

That is a good idea. I planned on updating the Security Topic soon, so I will add this to it as well. Thanks!

Hi @eslerm!

I updated this to reflect the intended for development aspect. Please let me know is this is sufficient from the Security Team’s standpoint. Thanks!

Thanks @townsend! The border really helps this stand out.

I’d suggest:

Multipass is intended to be used for development and is not considered production ready. As such, the projects security scope is limited to development use and caution is advised if used in production.