From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N63zl-0002rD-4d
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:11:29 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N63zg-0002kD-5K
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:11:28 -0500
Received: from [199.232.76.173] (port=56200 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N63zg-0002k2-0z
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:11:24 -0500
Received: from mx1.redhat.com ([209.132.183.28]:53906)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <avi@redhat.com>) id 1N63zf-0004hS-L6
	for qemu-devel@nongnu.org; Thu, 05 Nov 2009 10:11:23 -0500
Message-ID: <4AF2EB17.8090202@redhat.com>
Date: Thu, 05 Nov 2009 17:11:19 +0200
From: Avi Kivity <avi@redhat.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support
	for qemu
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>
	<4AF2E247.3090409@redhat.com> <4AF2E7CE.8010506@us.ibm.com>
In-Reply-To: <4AF2E7CE.8010506@us.ibm.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: Mark McLoughlin <markmc@redhat.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Dustin Kirkland <kirkland@canonical.com>, Juan Quintela <quintela@redhat.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>

On 11/05/2009 04:57 PM, Anthony Liguori wrote:
> Avi Kivity wrote:
>>> At least with KVM support, this is probably the most common use case 
>>> which means
>>> that most of our users are running qemu as root.  That's terrible.
>>
>> Most of our users run managed systems.
>
> I consider management software as a user. 

It isn't.  A user is a person, and -net bridge helps people.

> Today, most management software launches qemu as root.  libvirt is 
> just getting around to fixing this although they still are running it 
> as a single user instead of as the user requesting the vm be launched.

That's a libvirt bug.  Maybe they should adopt your helper.

> The fundamental problem, is that to use qemu as a non-privileged user, 
> you need to go from userA -> root -> userB.  For the lazy, it's 
> easiest just to make userA == userB == root.  IMHO, the ideal thing is 
> to always be userA.

Agreed.

> If we make this easy for management software to do, they're more 
> likely to do the right thing.

But we're forcing our style of security management on them.  How to 
store permissions is the management system's job (and for a clu^Houd, it 
will typically be stored in a central database, not be scattered around 
/etc).

Again, IMO we should stick to making a guest work, and leave all the 
glue to management.

-- 
error compiling committee.c: too many arguments to function