What is the purpose of "Libvirt qemu" user?

What is the purpose of "Libvirt qemu" user that is created as non system user when installing some virtualisation package ?

Which package did that exactly ?


It's created by libvirt-bin:

$ grep libvirt-qemu /var/lib/dpkg/info/*.postinst
/var/lib/dpkg/info/libvirt-bin.postinst:# Allocated UID and GID for libvirt-qemu
/var/lib/dpkg/info/libvirt-bin.postinst:    if ! getent passwd libvirt-qemu >/dev/null; then
/var/lib/dpkg/info/libvirt-bin.postinst:            libvirt-qemu
/var/lib/dpkg/info/libvirt-bin.postinst:                chown libvirt-qemu:kvm "${dir}"
/var/lib/dpkg/info/libvirt-bin.postinst:    chown libvirt-qemu:kvm /var/lib/libvirt/qemu/channel/target

And it's a security measure. With services like web servers, mail servers, hypervisors, etc., the service should drop privileges and run as an unprivileged user instead of remaining as root after it has done any necessary initialization. This way, if the service is compromised, the attacker doesn't gain unrestricted root access. For libvirt in particular:

If QEMU virtual machines from the "system" instance are being run as non-root, there will be greater restrictions on what host resources the QEMU process will be able to access.