On Fri, 9 Feb 2007 22:48:51 +0000 Paul Brook <[EMAIL PROTECTED]> wrote:
> I've very little sympathy (read: none) for people who "accidentally" > break things by running them as root. On a related note, I've been running qemu(-system 0.8.2) as root recently as a hopefully temporary measure so that it can setup the network interfaces. Recent linux kernels require CAP_NET_ADMIN for the tun network configuration that qemu does (specifically the TUNSETIFF ioctl), and the only way to get the capability is to start the process as root. Other capabilities could be dropped; as indeed could CAP_NET_ADMIN once the network configuration is done, but that means modifications to qemu itself to release the capabilities, and would still leave qemu as a suid-root binary, which it would be nicer to avoid. Is there any way around this? I expected to be able to configure capabilities for executables in the filesystem, but it appears there are serious problems with that concept so the kernel doesn't support it. -- Kevin F. Quinn
signature.asc
Description: PGP signature
_______________________________________________ Qemu-devel mailing list Qemu-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/qemu-devel
