qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Re: [PATCH 0/4] net-bridge: rootless bridge support for


From: Anthony Liguori
Subject: Re: [Qemu-devel] Re: [PATCH 0/4] net-bridge: rootless bridge support for qemu
Date: Thu, 05 Nov 2009 07:05:01 -0600
User-agent: Thunderbird 2.0.0.23 (X11/20090825)

Michael S. Tsirkin wrote:
On Wed, Nov 04, 2009 at 02:44:26PM -0600, Anthony Liguori wrote:
Michael S. Tsirkin wrote:
Well it doesn't really help with the issue of privileges which is what this series is really about.

Regards,

Anthony Liguori
I note that by default you grant all users all access.
If you do that, just give them net cap admin already?
By default, I give no users any access.

Oh, I misunderstood. This is what gave me the idea:

] If we fail to include an acl file, we are silent about it making this 
mechanism
] work pretty seamlessly.

What did you mean, in fact?

The default policy is deny all. If we fail to include the main acl file, we throw an error. If the main acl file includes another acl file, and that file cannot be read (because of EPERM), we are silent. This allows the use of additional included acl files that have different file permissions. This is how we use filesystem permissions to implement more sophisticated acls.

It's kind of weird, but I like the fact that the enforce is done by the OS as opposed to having the enforcement done by the helper.

Regards,

Anthony Liguori




reply via email to

[Prev in Thread] Current Thread [Next in Thread]