On 11/08/2009 12:12 AM, Anthony Liguori wrote:
Arnd Bergmann wrote:
Well, the difference matters from a security perspective. The sudo
script that Avi suggested just means that you can guarantee you don't
introduce any security holes through a suid executable. Fortunately,
it does not impact the contents of your helper either, only the
installation. You could even be clever in qemu and use call the helper
using sudo if qemu is running as unpriviledged user and the helper is
not a suid file.
Or just use fscaps and not even work about suid :-) That's the
preferred model.
fscaps does not eliminate the security concern, just reduces it.
CAP_NET_ADMIN is way to powerful to let loose.
If the sudo script execs your binary then we can install everything
without special privileges. All it takes then to enable bridging for
non-privileged users is a line in /etc/sudoers allowing the script to be
run without a password prompt (and of course, for someone to set up
bridging and dhcp and to allocate MAC addresses).
--
error compiling committee.c: too many arguments to function
