From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N6lwp-0006LU-90
	for qemu-devel@nongnu.org; Sat, 07 Nov 2009 09:07:23 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N6lwk-0006Iq-Jr
	for qemu-devel@nongnu.org; Sat, 07 Nov 2009 09:07:22 -0500
Received: from [199.232.76.173] (port=51612 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N6lwk-0006In-Ge
	for qemu-devel@nongnu.org; Sat, 07 Nov 2009 09:07:18 -0500
Received: from mail-yw0-f176.google.com ([209.85.211.176]:41274)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1N6lwk-0007Nk-3b
	for qemu-devel@nongnu.org; Sat, 07 Nov 2009 09:07:18 -0500
Received: by ywh6 with SMTP id 6so1587761ywh.4
	for <qemu-devel@nongnu.org>; Sat, 07 Nov 2009 06:07:17 -0800 (PST)
Message-ID: <4AF57F13.3040109@codemonkey.ws>
Date: Sat, 07 Nov 2009 08:07:15 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support
	for qemu
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>	<20091105163702.GC21630@shareable.org>	<4AF30129.7080203@us.ibm.com>	<200911051820.48878.arnd@arndb.de>	<4AF3154F.8090901@redhat.com>	<4AF32E78.1040103@us.ibm.com>
	<4AF3CED1.7080207@redhat.com>	<4AF43064.9080007@us.ibm.com>
	<4AF53A6E.6050304@redhat.com> <4AF5413F.3020301@redhat.com>
In-Reply-To: <4AF5413F.3020301@redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: Mark McLoughlin <markmc@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Arnd Bergmann <arnd@arndb.de>, Dustin Kirkland <kirkland@canonical.com>, Juan Quintela <quintela@redhat.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>

Avi Kivity wrote:
> On 11/07/2009 11:14 AM, Avi Kivity wrote:
>> I'd welcome -net bridge as one of them.  But we shouldn't try to 
>> invent access control systems or install suid helpers.
>
> We can make the helper a script that does
>
>   exec sudo /the/real/helper "$@"
>
> so a user can add it to /etc/sudoers and get pre-authenticated 
> configuration.

The key point of the helper here is that you pass an fd to a socketpair 
and you then receive an fd over that socket.  What the helper does is 
really less important.  Whether it's a script like you suggest or 
something like I proposed doesn't matter from a qemu perspective.

Whether the qemu-bridge-helper should live in qemu or somewhere else is 
a valid thing to discuss.  In my next posting, I'll have things 
restructured to separate out the two so that they two series can be 
considered independently.

Regards,

Anthony Liguori