From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33) id 1Baykm-0007gw-J3 for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:24:36 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33) id 1Baykk-0007gS-KQ for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:24:36 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.33) id 1Baykk-0007gH-I2 for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:24:34 -0400 Received: from [134.58.240.45] (helo=thumbler.kulnet.kuleuven.ac.be) by monty-python.gnu.org with esmtp (Exim 4.34) id 1BayjK-0005TF-Ka for qemu-devel@nongnu.org; Thu, 17 Jun 2004 11:23:06 -0400 Received: from localhost (localhost [127.0.0.1]) by thumbler.kulnet.kuleuven.ac.be (Postfix) with ESMTP id D4AEB137694 for ; Thu, 17 Jun 2004 17:23:04 +0200 (CEST) Received: from octavianus.kulnet.kuleuven.ac.be (octavianus.kulnet.kuleuven.ac.be [134.58.240.71]) by thumbler.kulnet.kuleuven.ac.be (Postfix) with ESMTP id 5A446137658 for ; Thu, 17 Jun 2004 17:23:04 +0200 (CEST) Received: from [127.0.0.1] (srv04.mech.kuleuven.ac.be [134.58.24.40]) by octavianus.kulnet.kuleuven.ac.be (Postfix) with ESMTP id 2C517AEE34 for ; Thu, 17 Jun 2004 17:23:04 +0200 (CEST) Message-ID: <40D1B7BB.201@mech.kuleuven.ac.be> Date: Thu, 17 Jun 2004 17:24:43 +0200 From: Panagiotis Issaris MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH] Security house-cleaning References: <20040617043838.GA1938@sentinelchicken.org> <1087484840.21569.108.camel@sherbert> <20040617151418.GD27872@cs.unibo.it> In-Reply-To: <20040617151418.GD27872@cs.unibo.it> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig15D27C81BF6D325F5978A8EF" Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig15D27C81BF6D325F5978A8EF Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi Renzo, Renzo Davoli wrote: >On Thu, Jun 17, 2004 at 04:07:20PM +0100, Gianni Tedesco wrote: > > >>Thats only worrisome from a security perspective if qemu was designed to >>run SUID, which I doubt that it is... Of course it's a bug and needs >>fixing though. >> >> > >One of the main pros of Qemu (among the others) it that it has been >designed NOT to run SUID. >The only piece of code that need root access is tuntap networking. >This problem can be circunvented by: >- using sudo for tuntap > > If you run it using sudo, you can limit the users who are allowed to run it, but the process will still run as root, which will not prevent exploits being able to run with root-permissions. >- using user net (a.k.a slirp) >- using vde. > > With friendly regards, Takis -- ------------------------------------------------------------------------ Panagiotis Issaris Katholieke Universiteit Leuven Division Production Engineering, Machine Design and Automation Celestijnenlaan 300B panagiotis.issaris@mech.kuleuven.ac.be B-3001 Leuven Belgium http://www.mech.kuleuven.ac.be/pma ------------------------------------------------------------------------ --------------enig15D27C81BF6D325F5978A8EF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA0bfC9kOxLuzz4CkRAoUuAJwLgVwZrMDJ9R94syfSAUIX3LFzmQCfR8vD YcRJGiGNQKnTKqe5aIMbtdo= =NITE -----END PGP SIGNATURE----- --------------enig15D27C81BF6D325F5978A8EF--