Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use

From:	Corey Bryant
Subject:	Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID
Date:	Mon, 24 Oct 2011 16:20:50 -0400
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9

On 10/24/2011 03:21 PM, Anthony Liguori wrote:

On 10/24/2011 02:13 PM, Corey Bryant wrote:

Right, it's not desirable, but isn't that the best we can do without
libcap or FS capabilities?


I think the best we can do is not let it run in those cases. :) I'd
like see if
others in the community have an opinion on this though.


IMHO, it should work as an setuid binary maintaining root privileges. As
long as it's a small binary (which it is) and is easy to audit, it
should be safe.

Regards,

Anthony Liguori

Alright, I'll concede on this. I'll run a static analyzer on the codeand let it run as root if libcap-ng is not configured.

It would be nice to also cut an audit record, but I'm not seeing aprecedence for doing that in QEMU. Any thoughts?


--
Regards,
Corey

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [PATCH v2 2/4] Add access control support to qemu bridge helper, (continued)
- [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Corey Bryant, 2011/10/21
  - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Blue Swirl, 2011/10/23
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Corey Bryant, 2011/10/24
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Blue Swirl, 2011/10/24
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Corey Bryant, 2011/10/24
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Blue Swirl, 2011/10/24
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Corey Bryant, 2011/10/24
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Anthony Liguori, 2011/10/24
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Corey Bryant <=
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Anthony Liguori, 2011/10/24
    - Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID, Anthony Liguori, 2011/10/24
- [Qemu-devel] [PATCH v2 1/4] Add basic version of bridge helper, Corey Bryant, 2011/10/21
  - Re: [Qemu-devel] [PATCH v2 1/4] Add basic version of bridge helper, Blue Swirl, 2011/10/23
    - Re: [Qemu-devel] [PATCH v2 1/4] Add basic version of bridge helper, Corey Bryant, 2011/10/24
- [Qemu-devel] [PATCH v2 4/4] Add support for net bridge, Corey Bryant, 2011/10/21

Prev by Date: [Qemu-devel] [PATCH] target-xtensa: handle cache options in the overlay tool
Next by Date: [Qemu-devel] [PATCH] target-sparc: Fix order of function parameters
Previous by thread: Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID
Next by thread: Re: [Qemu-devel] [PATCH v2 3/4] Add cap reduction support to enable use as SUID
Index(es):
- Date
- Thread