|
From: | Anthony Liguori |
Subject: | Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge |
Date: | Mon, 09 Nov 2009 08:20:20 -0600 |
User-agent: | Thunderbird 2.0.0.23 (X11/20090825) |
Avi Kivity wrote:
On 11/08/2009 12:11 AM, Anthony Liguori wrote:You don't need root privileges to use a tap device.You can access a preconfigured tap device but you cannot allocate a tap device and connect it to a bridge without CAP_NET_ADMIN.btw, shouldn't we, in the general case, create a bridge per user and use IP NAT? If we have a global bridge, users can spoof each other's MAC addresses and interfere with their virtual machines.
qemu-bridge-helper supports that model quite well :-) You would create a NAT'd bridge for each user as the administrator, then create a bridge.conf that consisted of per-user includes with appropriate permissions set on each of those files.
They can also interfere with the real network.That's not a concern with most one-user-per-machine configurations, but the default configuration should be safe.
Let's not kid ourselves, no matter what we do we're giving a user elevated privileges. Even with NAT, if the host can access the NAT'ed network, then you can run a privileged service (like NFS) in that network. Like it or not, some networks rely on privileged services being trusted as part of their security model (consider NIS).
I think the best we can do is provide a tool that allows an administrator to grant users additional privileges in the tiniest increments possible. Putting people in wheel just so they can do virtualization is too much.
I don't see having an fscap-based helper as creating policy. I see it as adding a mechanism for administrators to create policy.
-- Regards, Anthony Liguori
[Prev in Thread] | Current Thread | [Next in Thread] |