On Tue, Jan 19, 2021 at 08:04:29PM +0530, P J P wrote: > +-- On Mon, 18 Jan 2021, Stefan Hajnoczi wrote --+ > | Guest applications may run with different uids/gids. The host has no > control > | over that. > | > | Imagine booting a guest form a virtio-fs root file system and installing > | packages. The guest must be able to control uids/gids for that to work. > > * I see; I'll try to better understand how it's done. > > * With UID namespaces, I thought virtiofsd(1) would be able to operate files > with arbitrary uid/gid, even after dropping its root privileges to acquire > non-root privileges on the host; Because it has 'root' privileges under the > shared directory & UID namespace. > > | > $ ./virtiofsd -runas test -o source=... > | > | Patches for this are welcome. > > * Okay, will try.
Catching up with this thread now. I had posted minimal patches to allow running virtiofsd unpriviliged. They did not make further progress though. https://patchew.org/QEMU/[email protected]/ While being able to run virtiofsd in a user namespace is certainly valuable, I feel being able to run virtiofsd unpriviliged has it use cases as well. For example, if a user wants to share just its home directory on host with guest. In that case, we probably don't require lot of priviliged operations to be performed by virtiofsd. Vivek _______________________________________________ Virtio-fs mailing list [email protected] https://www.redhat.com/mailman/listinfo/virtio-fs
