|
| From: | Avi Kivity |
| Subject: | Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu |
| Date: | Sun, 08 Nov 2009 10:11:12 +0200 |
| User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.4pre) Gecko/20091014 Fedora/3.0-2.8.b4.fc11 Thunderbird/3.0b4 |
On 11/08/2009 12:12 AM, Anthony Liguori wrote:
Arnd Bergmann wrote:Well, the difference matters from a security perspective. The sudo script that Avi suggested just means that you can guarantee you don't introduce any security holes through a suid executable. Fortunately, it does not impact the contents of your helper either, only the installation. You could even be clever in qemu and use call the helper using sudo if qemu is running as unpriviledged user and the helper is not a suid file.Or just use fscaps and not even work about suid :-) That's the preferred model.
fscaps does not eliminate the security concern, just reduces it. CAP_NET_ADMIN is way to powerful to let loose.
If the sudo script execs your binary then we can install everything without special privileges. All it takes then to enable bridging for non-privileged users is a line in /etc/sudoers allowing the script to be run without a password prompt (and of course, for someone to set up bridging and dhcp and to allocate MAC addresses).
-- error compiling committee.c: too many arguments to function
| [Prev in Thread] | Current Thread | [Next in Thread] |