On Fri, Jul 8, 2022 at 10:18 PM Pra.. Dew.. <[email protected]> wrote: > > We have been able to setup virtiofs between guest and host (QEMU 6.2/Linux > 5.15). We run virtiofsd as a non-root user in the host. We did not want to > run it as a root user in order to minimize the attack surface. We run it as a > virtiofs user. When we create a file in the shared folder, the permission of > the file is virtiofs user and virtiofs group. When we read that file from the > guest it shows virtiofs user (only the uid) and nobody group. The goal is to > restrict the access of the file to a few services in the guest (not give > access to all services). We tried to create a group in the guest and tried to > move the file in the new group. However chown gives "bad descriptor." Is > there a better way of doing this? Any input is really appreciated. Thank you > so much!
you can try to run virtiofsd inside a user namespace[1], mapping a range of "host" uid/gid to uid/gid 0 and following in the guest. see "podman unshare" or "lxc-usernsexec" [1] https://gitlab.com/virtio-fs/virtiofsd#running-as-non-privileged-user -- German _______________________________________________ Virtio-fs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/virtio-fs
