[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qem
|
From: |
Arnd Bergmann |
|
Subject: |
Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu |
|
Date: |
Sat, 7 Nov 2009 22:50:39 +0100 |
|
User-agent: |
KMail/1.12.2 (Linux/2.6.31-14-generic; KDE/4.3.2; x86_64; ; ) |
On Saturday 07 November 2009, Anthony Liguori wrote:
> Avi Kivity wrote:
> > On 11/07/2009 11:14 AM, Avi Kivity wrote:
> >> I'd welcome -net bridge as one of them. But we shouldn't try to
> >> invent access control systems or install suid helpers.
> >
> > We can make the helper a script that does
> >
> > exec sudo /the/real/helper "$@"
> >
> > so a user can add it to /etc/sudoers and get pre-authenticated
> > configuration.
>
> The key point of the helper here is that you pass an fd to a socketpair
> and you then receive an fd over that socket. What the helper does is
> really less important. Whether it's a script like you suggest or
> something like I proposed doesn't matter from a qemu perspective.
Well, the difference matters from a security perspective. The sudo
script that Avi suggested just means that you can guarantee you don't
introduce any security holes through a suid executable. Fortunately,
it does not impact the contents of your helper either, only the
installation. You could even be clever in qemu and use call the helper
using sudo if qemu is running as unpriviledged user and the helper is
not a suid file.
Arnd <><
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, (continued)
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/05
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Jamie Lokier, 2009/11/05
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Avi Kivity, 2009/11/06
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Jamie Lokier, 2009/11/06
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/06
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Jamie Lokier, 2009/11/06
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/06
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Avi Kivity, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Avi Kivity, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu,
Arnd Bergmann <=
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Avi Kivity, 2009/11/08
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/05
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Avi Kivity, 2009/11/06
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Anthony Liguori, 2009/11/06
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Avi Kivity, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Jamie Lokier, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Avi Kivity, 2009/11/07
- Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu, Jamie Lokier, 2009/11/09