From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:34525)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1RoXqk-00073n-ET
	for qemu-devel@nongnu.org; Sat, 21 Jan 2012 05:07:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1RoXqj-0003LI-EO
	for qemu-devel@nongnu.org; Sat, 21 Jan 2012 05:07:06 -0500
Received: from isrv.corpit.ru ([86.62.121.231]:55463)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mjt@tls.msk.ru>) id 1RoXqj-0003Jg-8K
	for qemu-devel@nongnu.org; Sat, 21 Jan 2012 05:07:05 -0500
Message-ID: <4F1A8E40.5030201@msgid.tls.msk.ru>
Date: Sat, 21 Jan 2012 14:06:56 +0400
From: Michael Tokarev <mjt@tls.msk.ru>
MIME-Version: 1.0
References: <4F058410.8050206@redhat.com> <4F058686.2030805@redhat.com>
	<20120105150047.GB2751@redhat.com> <jfcotf$4j4$1@dough.gmane.org>
In-Reply-To: <jfcotf$4j4$1@dough.gmane.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] vhost broken?
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Lutz Vieweg <lvml@5t9.de>
Cc: qemu-devel@nongnu.org

On 21.01.2012 02:13, Lutz Vieweg wrote:
> On 01/05/2012 04:00 PM, Michael S. Tsirkin wrote:
>> Just chmod /dev/vhost-net to allow access
> 
> I wonder whether it's considered a security risk to allow non-root
> users access to /dev/vhost-net?
> 
> (Or is there a way to have root prepare limited use of vhost for only
> some users or some network devices?)

Usual idiom is to create a dedicated group, chgrp
/dev/vhost-net to this group and add g+rw permission.
That lets you to add users to that group to grant them
access.

Initially it was believed that /dev/kvm poses no security
implications whatsoever and can be mode 0666.  But later
on several security bugs has been discovered in this
subsystem, so it is a good idea to not grant extra
privileges by default.

/mjt