From mboxrd@z Thu Jan  1 00:00:00 1970
From: Iordan Iordanov <iordan@cdf.toronto.edu>
Subject: restricting users to only power control of VMs
Date: Wed, 08 Jun 2011 14:10:29 -0400
Message-ID: <4DEFBB15.9080307@cdf.toronto.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
To: kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from penguin.cdf.utoronto.ca ([128.100.31.106]:52778 "HELO
	smtp.cdf.toronto.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with SMTP id S1750815Ab1FHSRL (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 8 Jun 2011 14:17:11 -0400
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Hi,

As the subject suggests, we are wondering whether there is any way to 
restrict certain classes of users from performing any action other than 
powering a VM up and down, and resetting it?

If this can't be done with KVM, does anybody have suggestions on how 
this can be accomplished? The only way I can think of is with a setuid 
binary that can only start VMs and send reset and shutdown commands to 
its monitor socket. However, this does seem hackish and can be insecure 
if it's not written perfectly.

Cheers,
Iordan