[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] vhost broken?
From: |
Michael Tokarev |
Subject: |
Re: [Qemu-devel] vhost broken? |
Date: |
Sat, 21 Jan 2012 14:06:56 +0400 |
User-agent: |
Mozilla/5.0 (X11; Linux i686 on x86_64; rv:5.0) Gecko/20110805 Icedove/5.0 |
On 21.01.2012 02:13, Lutz Vieweg wrote:
> On 01/05/2012 04:00 PM, Michael S. Tsirkin wrote:
>> Just chmod /dev/vhost-net to allow access
>
> I wonder whether it's considered a security risk to allow non-root
> users access to /dev/vhost-net?
>
> (Or is there a way to have root prepare limited use of vhost for only
> some users or some network devices?)
Usual idiom is to create a dedicated group, chgrp
/dev/vhost-net to this group and add g+rw permission.
That lets you to add users to that group to grant them
access.
Initially it was believed that /dev/kvm poses no security
implications whatsoever and can be mode 0666. But later
on several security bugs has been discovered in this
subsystem, so it is a good idea to not grant extra
privileges by default.
/mjt