From: Ben Taylor <sol10x86@cox.net>
To: qemu-devel@nongnu.org
Subject: Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.)
Date: Sat, 10 Feb 2007 7:02:00 -0500 [thread overview]
Message-ID: <24712216.1171108920762.JavaMail.root@eastrmwml08.mgt.cox.net> (raw)
---- "Kevin F. Quinn" <ml@kevquinn.com> wrote:
> On Fri, 9 Feb 2007 22:48:51 +0000
> Paul Brook <paul@codesourcery.com> wrote:
>
> > I've very little sympathy (read: none) for people who "accidentally"
> > break things by running them as root.
>
> On a related note, I've been running qemu(-system 0.8.2) as root
> recently as a hopefully temporary measure so that it can setup the
> network interfaces. Recent linux kernels require CAP_NET_ADMIN for the
> tun network configuration that qemu does (specifically the TUNSETIFF
> ioctl), and the only way to get the capability is to start the process
> as root.
>
> Other capabilities could be dropped; as indeed could CAP_NET_ADMIN once
> the network configuration is done, but that means modifications to qemu
> itself to release the capabilities, and would still leave qemu as a
> suid-root binary, which it would be nicer to avoid.
>
> Is there any way around this? I expected to be able to configure
> capabilities for executables in the filesystem, but it appears there
> are serious problems with that concept so the kernel doesn't support
> it.
I just dealt with that. I got a patch for tap for Solaris and I have a setuid script
that creates the tap and uses the /etc/qemu-ifup script to configure the interface,
then calls a script with the file descriptor of the tap interface to a script which
then invokes qemu with the right parameteres.
Ben
next reply other threads:[~2007-02-10 12:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-10 12:02 Ben Taylor [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-02-09 22:19 [Qemu-devel] Two quick requests Rob Landley
2007-02-09 22:27 ` Paul Brook
2007-02-09 22:33 ` Dan Shearer
2007-02-09 22:48 ` Paul Brook
2007-02-10 11:53 ` CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.) Kevin F. Quinn
2007-02-10 15:11 ` Paul Brook
2007-02-12 9:49 ` Chris Friedhoff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=24712216.1171108920762.JavaMail.root@eastrmwml08.mgt.cox.net \
--to=sol10x86@cox.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.