qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.)


From: Ben Taylor
Subject: Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.)
Date: Sat, 10 Feb 2007 7:02:00 -0500

---- "Kevin F. Quinn" <address@hidden> wrote: 
> On Fri, 9 Feb 2007 22:48:51 +0000
> Paul Brook <address@hidden> wrote:
> 
> > I've very little sympathy (read: none) for people who "accidentally"
> > break things by running them as root.
> 
> On a related note, I've been running qemu(-system 0.8.2) as root
> recently as a hopefully temporary measure so that it can setup the
> network interfaces.  Recent linux kernels require CAP_NET_ADMIN for the
> tun network configuration that qemu does (specifically the TUNSETIFF
> ioctl), and the only way to get the capability is to start the process
> as root.
> 
> Other capabilities could be dropped; as indeed could CAP_NET_ADMIN once
> the network configuration is done, but that means modifications to qemu
> itself to release the capabilities, and would still leave qemu as a
> suid-root binary, which it would be nicer to avoid.
> 
> Is there any way around this?  I expected to be able to configure
> capabilities for executables in the filesystem, but it appears there
> are serious problems with that concept so the kernel doesn't support
> it.

I just dealt with that.  I got a patch for tap for Solaris and I have a setuid 
script
that creates the tap and uses the /etc/qemu-ifup script to configure the 
interface,
then calls a script with the file descriptor of the tap interface to a script 
which
then invokes qemu with the right parameteres.

Ben




reply via email to

[Prev in Thread] Current Thread [Next in Thread]