From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: restricting users to only power control of VMs
Date: Thu, 09 Jun 2011 11:14:57 +0300
Message-ID: <4DF08101.5070100@redhat.com>
References: <4DEFBB15.9080307@cdf.toronto.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: kvm@vger.kernel.org
To: Iordan Iordanov <iordan@cdf.toronto.edu>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:50465 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756003Ab1FIIPg (ORCPT <rfc822;kvm@vger.kernel.org>);
	Thu, 9 Jun 2011 04:15:36 -0400
In-Reply-To: <4DEFBB15.9080307@cdf.toronto.edu>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 06/08/2011 09:10 PM, Iordan Iordanov wrote:
> Hi,
>
> As the subject suggests, we are wondering whether there is any way to 
> restrict certain classes of users from performing any action other 
> than powering a VM up and down, and resetting it?
>
> If this can't be done with KVM, does anybody have suggestions on how 
> this can be accomplished? The only way I can think of is with a setuid 
> binary that can only start VMs and send reset and shutdown commands to 
> its monitor socket. However, this does seem hackish and can be 
> insecure if it's not written perfectly.

It's a job for the management layer; I think it should be easy to script 
libvirt to do this.

-- 
error compiling committee.c: too many arguments to function