[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] Manpage: Update description of 'user=username' for '-run-wit
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [PATCH] Manpage: Update description of 'user=username' for '-run-with' |
|
Date: |
Tue, 16 Jul 2024 11:00:09 +0200 |
> Manpage: the description of '-runs' didn't show this parameter will use
> setuid, so the customer might get confused when 'elevateprivileges=deny' is
> used. Since '-runas' is going to be deprecated and replaced by this
> parameter in the coming qemu9.1, add the message here.
Queued, thanks. I modified the patch a bit to explain how setgid and
setgroups are used in addition to setuid:
diff --git a/qemu-options.hx b/qemu-options.hx
index ad6521ef5e7..694fa37f284 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -5024,8 +5024,11 @@ SRST
in combination with -runas.
``user=username`` or ``user=uid:gid`` can be used to drop root privileges
- by switching to the specified user (via username) or user and group
- (via uid:gid) immediately before starting guest execution.
+ before starting guest execution. QEMU will use the ``setuid`` and
``setgid``
+ system calls to switch to the specified identity. Note that the
+ ``user=username`` syntax will also apply the full set of supplementary
+ groups for the user, whereas the ``user=uid:gid`` will use only the
+ ``gid`` group.
Paolo