Anthony Liguori wrote: > Let's not kid ourselves, no matter what we do we're giving a user > elevated privileges. Even with NAT, if the host can access the NAT'ed > network, then you can run a privileged service (like NFS) in that > network.
I don't see how outgoing NAT (SNAT), where the guest can make _outgoing_ connections to the network, allows the guest to run a privileged service accessible to the network. Sure, the guest can run an NFS server, but it means nothing to the outside - it's on the guest's own private little network. Same as Slirp. The guest cannot even make an outgoing request which appears to come from an privileged port - if the SNAT rule has the appropriate options to force the port into an unprivileged range. For the guest's NFS server to be visible to the network requires incoming NAT (DNAT) on the host, often called "port forwarding". But that is done by explicit administration; if you can do that, you can run a privileged service on the host anyway. > I think the best we can do is provide a tool that allows an > administrator to grant users additional privileges in the tiniest > increments possible. Putting people in wheel just so they can do > virtualization is too much. > > I don't see having an fscap-based helper as creating policy. I see it > as adding a mechanism for administrators to create policy. I agree with both of these. -- Jamie
