[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.)
From: |
Ben Taylor |
Subject: |
Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.) |
Date: |
Sat, 10 Feb 2007 7:02:00 -0500 |
---- "Kevin F. Quinn" <address@hidden> wrote:
> On Fri, 9 Feb 2007 22:48:51 +0000
> Paul Brook <address@hidden> wrote:
>
> > I've very little sympathy (read: none) for people who "accidentally"
> > break things by running them as root.
>
> On a related note, I've been running qemu(-system 0.8.2) as root
> recently as a hopefully temporary measure so that it can setup the
> network interfaces. Recent linux kernels require CAP_NET_ADMIN for the
> tun network configuration that qemu does (specifically the TUNSETIFF
> ioctl), and the only way to get the capability is to start the process
> as root.
>
> Other capabilities could be dropped; as indeed could CAP_NET_ADMIN once
> the network configuration is done, but that means modifications to qemu
> itself to release the capabilities, and would still leave qemu as a
> suid-root binary, which it would be nicer to avoid.
>
> Is there any way around this? I expected to be able to configure
> capabilities for executables in the filesystem, but it appears there
> are serious problems with that concept so the kernel doesn't support
> it.
I just dealt with that. I got a patch for tap for Solaris and I have a setuid
script
that creates the tap and uses the /etc/qemu-ifup script to configure the
interface,
then calls a script with the file descriptor of the tap interface to a script
which
then invokes qemu with the right parameteres.
Ben
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: CAP_NET_ADMIN (was Re: [Qemu-devel] Two quick requests.),
Ben Taylor <=