From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N6PfA-00051e-8Z
	for qemu-devel@nongnu.org; Fri, 06 Nov 2009 09:19:40 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N6Pf3-0004ya-Fz
	for qemu-devel@nongnu.org; Fri, 06 Nov 2009 09:19:38 -0500
Received: from [199.232.76.173] (port=49026 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N6Pf2-0004yJ-UJ
	for qemu-devel@nongnu.org; Fri, 06 Nov 2009 09:19:32 -0500
Received: from e6.ny.us.ibm.com ([32.97.182.146]:47571)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <aliguori@us.ibm.com>) id 1N6Pf2-0007tp-H9
	for qemu-devel@nongnu.org; Fri, 06 Nov 2009 09:19:32 -0500
Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237])
	by e6.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id nA6EOv7j021304
	for <qemu-devel@nongnu.org>; Fri, 6 Nov 2009 09:24:57 -0500
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	nA6EJUJq025436
	for <qemu-devel@nongnu.org>; Fri, 6 Nov 2009 09:19:30 -0500
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP
	id nA6EJIcW032639
	for <qemu-devel@nongnu.org>; Fri, 6 Nov 2009 07:19:18 -0700
Message-ID: <4AF43064.9080007@us.ibm.com>
Date: Fri, 06 Nov 2009 08:19:16 -0600
From: Anthony Liguori <aliguori@us.ibm.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support
	for qemu
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>
	<20091105163702.GC21630@shareable.org>	<4AF30129.7080203@us.ibm.com>
	<200911051820.48878.arnd@arndb.de>	<4AF3154F.8090901@redhat.com>
	<4AF32E78.1040103@us.ibm.com> <4AF3CED1.7080207@redhat.com>
In-Reply-To: <4AF3CED1.7080207@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: Mark McLoughlin <markmc@redhat.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Arnd Bergmann <arnd@arndb.de>, Juan Quintela <quintela@redhat.com>, Dustin Kirkland <kirkland@canonical.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>

Avi Kivity wrote:
>> Instead of doing silly things into qemu, if there is concern about 
>> this, then it should be fixed in Linux properly.
>
> Of course there is concern about it, and you don't have to do anything 
> silly to qemu to avoid it.  Just not call helpers while it's running.

This is unacceptable.  We use helpers in multiple places today.  We use 
a helper to configure a tap device that we've allocated, we use it for 
the exec: protocol for live migration, etc.

Running qemu directly from the command line is absolutely an important 
use case.  A desktop user should not need things like libvirt and 
virt-manager.

If it cannot be fixed in the kernel, we'll have to work around it in 
userspace.  We can introduce our own spawn() function that works by 
fork()'ing very early and listening on a socketpair.  This will sit 
reading from the socket waiting for commands to exec.  Using a unix 
socket, we can pass fds that get inherited which we can't do with system().

>> I'd rather not have a program running with elevated privileges when 
>> it not needed.
>>
>
> suid helpers are dangerous whenever they are on disk; daemons are 
> dangerous only when running.

A suid helper equivalent to a root daemon from a security perspective.  
It's just long running vs. transient.

-- 
Regards,

Anthony Liguori