From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56599)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avi@cloudius-systems.com>) id 1Vgy5A-0001fL-U8
	for qemu-devel@nongnu.org; Thu, 14 Nov 2013 09:39:52 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <avi@cloudius-systems.com>) id 1Vgy53-00039J-KH
	for qemu-devel@nongnu.org; Thu, 14 Nov 2013 09:39:44 -0500
Received: from mail-wg0-f46.google.com ([74.125.82.46]:50377)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avi@cloudius-systems.com>) id 1Vgy53-00039F-Dw
	for qemu-devel@nongnu.org; Thu, 14 Nov 2013 09:39:37 -0500
Received: by mail-wg0-f46.google.com with SMTP id x12so2003529wgg.13
	for <qemu-devel@nongnu.org>; Thu, 14 Nov 2013 06:39:36 -0800 (PST)
Message-ID: <5284E0A6.30402@cloudius-systems.com>
Date: Thu, 14 Nov 2013 16:39:34 +0200
From: Avi Kivity <avi@cloudius-systems.com>
MIME-Version: 1.0
References: <c66f8b4405fbe3d1ad36d85392bbc556c7959774.1384254624.git.avi@cloudius-systems.com>
	<20131114132940.GB26847@stefanha-thinkpad.redhat.com>
In-Reply-To: <20131114132940.GB26847@stefanha-thinkpad.redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] build: set up capabilities on
	qemu-bridge-helper
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>, qemu-devel@nongnu.org, Cole Robinson <crobinso@redhat.com>

On 11/14/2013 03:29 PM, Stefan Hajnoczi wrote:
> On Tue, Nov 12, 2013 at 01:10:24PM +0200, Avi Kivity wrote:
>> Out-of-the-box, 'make install' sets up an unusable qemu-bridge-helper since
>> it doesn't have the required capabilities.
>>
>> Fix by adding them.
> Up until now, downstreams had to make the bridge helper executable
> setuid, add the cap_net_admin capability, or they did nothing and it was
> broken ;-).  CCing downstream package maintainers in case they have any
> comments on this patch.

And it was, indeed, broken.

>
>> Note: this may break installing as non-root.  This is actually the right
>> thing to do, since not setting up the capability would result in a broken
>> setup.  Perhaps we need a configure flag to disable helpers.
> Users who have been successfully installing QEMU would be upset if it
> suddenly starts failing after this patch.  The bridge helper is a niche
> feature that shouldn't cause a regression for the majority of users who
> don't care about it.
>
> If we're installing non-root then the bridge helper simply shouldn't be
> installed.

Or maybe installed without the capabilities?  This way if the user 
invokes qemu with sudo, it still works as before.