From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N72rw-0007JP-LG
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:11:28 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N72rr-0007HP-1O
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:11:27 -0500
Received: from [199.232.76.173] (port=55231 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N72rq-0007HK-OA
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:11:22 -0500
Received: from mx1.redhat.com ([209.132.183.28]:20891)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <avi@redhat.com>) id 1N72rq-0001W1-7L
	for qemu-devel@nongnu.org; Sun, 08 Nov 2009 03:11:22 -0500
Message-ID: <4AF67D20.4080602@redhat.com>
Date: Sun, 08 Nov 2009 10:11:12 +0200
From: Avi Kivity <avi@redhat.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/4] net-bridge: rootless bridge support
	for qemu
References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com>
	<4AF5413F.3020301@redhat.com> <4AF57F13.3040109@codemonkey.ws>
	<200911072250.39440.arnd@arndb.de> <4AF5F0D4.4070800@codemonkey.ws>
In-Reply-To: <4AF5F0D4.4070800@codemonkey.ws>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: Mark McLoughlin <markmc@redhat.com>, Anthony Liguori <aliguori@us.ibm.com>, Arnd Bergmann <arndbergmann@googlemail.com>, Arnd Bergmann <arnd@arndb.de>, Dustin Kirkland <kirkland@canonical.com>, Juan Quintela <quintela@redhat.com>, qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>

On 11/08/2009 12:12 AM, Anthony Liguori wrote:
> Arnd Bergmann wrote:
>> Well, the difference matters from a security perspective. The sudo
>> script that Avi suggested just means that you can guarantee you don't
>> introduce any security holes through a suid executable. Fortunately,
>> it does not impact the contents of your helper either, only the
>> installation. You could even be clever in qemu and use call the helper
>> using sudo if qemu is running as unpriviledged user and the helper is
>> not a suid file.
>
> Or just use fscaps and not even work about suid :-)  That's the 
> preferred model.

fscaps does not eliminate the security concern, just reduces it.  
CAP_NET_ADMIN is way to powerful to let loose.

If the sudo script execs your binary then we can install everything 
without special privileges.  All it takes then to enable bridging for 
non-privileged users is a line in /etc/sudoers allowing the script to be 
run without a password prompt (and of course, for someone to set up 
bridging and dhcp and to allocate MAC addresses).

-- 
error compiling committee.c: too many arguments to function