|
| From: | Anthony Liguori |
| Subject: | Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support for qemu |
| Date: | Fri, 06 Nov 2009 08:19:16 -0600 |
| User-agent: | Thunderbird 2.0.0.23 (X11/20090825) |
Avi Kivity wrote:
Instead of doing silly things into qemu, if there is concern about this, then it should be fixed in Linux properly.Of course there is concern about it, and you don't have to do anything silly to qemu to avoid it. Just not call helpers while it's running.
This is unacceptable. We use helpers in multiple places today. We use a helper to configure a tap device that we've allocated, we use it for the exec: protocol for live migration, etc.
Running qemu directly from the command line is absolutely an important use case. A desktop user should not need things like libvirt and virt-manager.
If it cannot be fixed in the kernel, we'll have to work around it in userspace. We can introduce our own spawn() function that works by fork()'ing very early and listening on a socketpair. This will sit reading from the socket waiting for commands to exec. Using a unix socket, we can pass fds that get inherited which we can't do with system().
I'd rather not have a program running with elevated privileges when it not needed.suid helpers are dangerous whenever they are on disk; daemons are dangerous only when running.
A suid helper equivalent to a root daemon from a security perspective. It's just long running vs. transient.
-- Regards, Anthony Liguori
| [Prev in Thread] | Current Thread | [Next in Thread] |