Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge

[Jamie Lokier]

Anthony Liguori wrote:
> Let's not kid ourselves, no matter what we do we're giving a user 
> elevated privileges.  Even with NAT, if the host can access the NAT'ed 
> network, then you can run a privileged service (like NFS) in that 
> network.

I don't see how outgoing NAT (SNAT), where the guest can make
_outgoing_ connections to the network, allows the guest to run a
privileged service accessible to the network.  Sure, the guest can run
an NFS server, but it means nothing to the outside - it's on the
guest's own private little network.  Same as Slirp.

The guest cannot even make an outgoing request which appears to come
from an privileged port - if the SNAT rule has the appropriate options
to force the port into an unprivileged range.

For the guest's NFS server to be visible to the network requires
incoming NAT (DNAT) on the host, often called "port forwarding".  But
that is done by explicit administration; if you can do that, you can
run a privileged service on the host anyway.

> I think the best we can do is provide a tool that allows an 
> administrator to grant users additional privileges in the tiniest 
> increments possible.  Putting people in wheel just so they can do 
> virtualization is too much.
> 
> I don't see having an fscap-based helper as creating policy.  I see it 
> as adding a mechanism for administrators to create policy.

I agree with both of these.

-- Jamie