Daniel, On 8/1/07, Daniel P. Berrange <[EMAIL PROTECTED]> wrote:
> Unless you whitelist which monitor commands it can run this would be a > significant security hole. eg a guest could run > > 'usb_add disk /some/path' > > To get access to arbitrary files & disks from the host. > If we assume that kvm runs under root, yes (and if kvm finds out it runs under root, it might disable such access to monitor). I have written a suid wrapper (very simple) that does whatever necessary under root, and then drops to user privileges, then execs kvm, so these actions will be limited by Linux multi-user mechanisms as usual. In my daily practice, I run kvm under my user privileges, and it works fine. See the kvmadm project (link on the kvm wiki page "Management tools"). -- Dimitry Golubovsky Anywhere on the Web ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ kvm-devel mailing list kvm-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/kvm-devel
