Il 18/04/2013 19:32, Laine Stump ha scritto:
> On 03/25/2013 10:25 AM, Paolo Bonzini wrote:
>> uses a helper application to do the necessary
>> TUN/TAP setup to use an existing network bridge, thus letting
>> unprivileged users use TUN/TAP interfaces.
>>
>> However, libvirt should be preventing QE
On Fri, Apr 19, 2013 at 10:05:33AM -0400, Corey Bryant wrote:
>
>
> On 04/19/2013 09:51 AM, Daniel P. Berrange wrote:
> >On Fri, Apr 19, 2013 at 09:47:05AM -0400, Corey Bryant wrote:
> >>
> >>[snip]
> >>>
> >>>I still don't like using qemu-bridge-helper, but this is better than the
> >>>alternati
On 04/19/2013 09:51 AM, Daniel P. Berrange wrote:
On Fri, Apr 19, 2013 at 09:47:05AM -0400, Corey Bryant wrote:
[snip]
I still don't like using qemu-bridge-helper, but this is better than the
alternative of having qemu call it (although, due to the way that
process capabilities works, we ar
On Fri, Apr 19, 2013 at 09:47:05AM -0400, Corey Bryant wrote:
>
> [snip]
> >
> >I still don't like using qemu-bridge-helper, but this is better than the
> >alternative of having qemu call it (although, due to the way that
> >process capabilities works, we are unable to prevent a rogue qemu
> >star
[snip]
I still don't like using qemu-bridge-helper, but this is better than the
alternative of having qemu call it (although, due to the way that
process capabilities works, we are unable to prevent a rogue qemu
started by unprivileged libvirtd from calling it :-(
Maybe we can introduce a tig
On 04/18/2013 11:32 AM, Laine Stump wrote:
> On 03/25/2013 10:25 AM, Paolo Bonzini wrote:
>> uses a helper application to do the necessary
>> TUN/TAP setup to use an existing network bridge, thus letting
>> unprivileged users use TUN/TAP interfaces.
>>
>> @@ -3746,7 +3828,6 @@ error:
>> char *
>
On 03/25/2013 10:25 AM, Paolo Bonzini wrote:
> uses a helper application to do the necessary
> TUN/TAP setup to use an existing network bridge, thus letting
> unprivileged users use TUN/TAP interfaces.
>
> However, libvirt should be preventing QEMU from running any setuid
> programs at all, which
uses a helper application to do the necessary
TUN/TAP setup to use an existing network bridge, thus letting
unprivileged users use TUN/TAP interfaces.
However, libvirt should be preventing QEMU from running any setuid
programs at all, which would include this helper program. From
a security POV,
