[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.)
From: |
Kevin F. Quinn |
Subject: |
CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.) |
Date: |
Sat, 10 Feb 2007 12:53:08 +0100 |
On Fri, 9 Feb 2007 22:48:51 +0000
Paul Brook <address@hidden> wrote:
> I've very little sympathy (read: none) for people who "accidentally"
> break things by running them as root.
On a related note, I've been running qemu(-system 0.8.2) as root
recently as a hopefully temporary measure so that it can setup the
network interfaces. Recent linux kernels require CAP_NET_ADMIN for the
tun network configuration that qemu does (specifically the TUNSETIFF
ioctl), and the only way to get the capability is to start the process
as root.
Other capabilities could be dropped; as indeed could CAP_NET_ADMIN once
the network configuration is done, but that means modifications to qemu
itself to release the capabilities, and would still leave qemu as a
suid-root binary, which it would be nicer to avoid.
Is there any way around this? I expected to be able to configure
capabilities for executables in the filesystem, but it appears there
are serious problems with that concept so the kernel doesn't support
it.
--
Kevin F. Quinn
signature.asc
Description: PGP signature
- Re: [Qemu-devel] Two quick requests., (continued)
- Re: [Qemu-devel] Two quick requests., Paul Brook, 2007/02/09
- Re: [Qemu-devel] Two quick requests., Rob Landley, 2007/02/09
- Re: [Qemu-devel] Two quick requests., Dan Shearer, 2007/02/09
- Re: [Qemu-devel] Two quick requests., Paul Brook, 2007/02/09
- Re: [Qemu-devel] Two quick requests., Ed Swierk, 2007/02/09
- Re: [Qemu-devel] Two quick requests., Paul Brook, 2007/02/09
- Re: [Qemu-devel] Two quick requests., Daniel Jacobowitz, 2007/02/10
- Re: [Qemu-devel] Two quick requests., Rob Landley, 2007/02/12
- Re: [Qemu-devel] Two quick requests., Paul Brook, 2007/02/12
- Re: [Qemu-devel] Two quick requests., Jan Marten Simons, 2007/02/12
- CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.),
Kevin F. Quinn <=
- Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.), Paul Brook, 2007/02/10
- Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.), Chris Friedhoff, 2007/02/12
[Qemu-devel] QEMU and SMP Option on dual core processor, Danny Chieh-Yao, Cheng, 2007/02/12