From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1N7WPH-0005w1-NA for qemu-devel@nongnu.org; Mon, 09 Nov 2009 10:43:51 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1N7WPD-0005tv-21 for qemu-devel@nongnu.org; Mon, 09 Nov 2009 10:43:51 -0500 Received: from [199.232.76.173] (port=53910 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1N7WPC-0005tm-Ou for qemu-devel@nongnu.org; Mon, 09 Nov 2009 10:43:46 -0500 Received: from e32.co.us.ibm.com ([32.97.110.150]:43019) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1N7WPB-00035H-PL for qemu-devel@nongnu.org; Mon, 09 Nov 2009 10:43:46 -0500 Received: from d03relay05.boulder.ibm.com (d03relay05.boulder.ibm.com [9.17.195.107]) by e32.co.us.ibm.com (8.14.3/8.13.1) with ESMTP id nA9FcPIF015625 for ; Mon, 9 Nov 2009 08:38:25 -0700 Received: from d03av04.boulder.ibm.com (d03av04.boulder.ibm.com [9.17.195.170]) by d03relay05.boulder.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id nA9FhLOY085698 for ; Mon, 9 Nov 2009 08:43:21 -0700 Received: from d03av04.boulder.ibm.com (loopback [127.0.0.1]) by d03av04.boulder.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id nA99dRKI027421 for ; Mon, 9 Nov 2009 02:39:28 -0700 Message-ID: <4AF83896.8030504@us.ibm.com> Date: Mon, 09 Nov 2009 09:43:18 -0600 From: Anthony Liguori MIME-Version: 1.0 Subject: Re: [Qemu-devel] [PATCH 4/4] Add support for -net bridge References: <1257294485-27015-1-git-send-email-aliguori@us.ibm.com> <1257294485-27015-5-git-send-email-aliguori@us.ibm.com> <1257614967.30774.424.camel@macbook.infradead.org> <4AF5F0A2.8050309@codemonkey.ws> <4AF680FD.5050101@redhat.com> <4AF82524.8080805@us.ibm.com> <20091109153933.GA1073@shareable.org> In-Reply-To: <20091109153933.GA1073@shareable.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Jamie Lokier Cc: Mark McLoughlin , Arnd Bergmann , Dustin Kirkland , Michael Tsirkin , qemu-devel@nongnu.org, Juan Quintela , Avi Kivity , David Woodhouse Jamie Lokier wrote: > Anthony Liguori wrote: > >> Let's not kid ourselves, no matter what we do we're giving a user >> elevated privileges. Even with NAT, if the host can access the NAT'ed >> network, then you can run a privileged service (like NFS) in that >> network. >> > > I don't see how outgoing NAT (SNAT), where the guest can make > _outgoing_ connections to the network, allows the guest to run a > privileged service accessible to the network. Sure, the guest can run > an NFS server, but it means nothing to the outside - it's on the > guest's own private little network. Same as Slirp. > > The guest cannot even make an outgoing request which appears to come > from an privileged port - if the SNAT rule has the appropriate options > to force the port into an unprivileged range. > > For the guest's NFS server to be visible to the network requires > incoming NAT (DNAT) on the host, often called "port forwarding". But > that is done by explicit administration; if you can do that, you can > run a privileged service on the host anyway. > You are correct except that I qualified this as NAT with host access which so far is the common model. If the host can access the NAT'd network behind the NAT, then port privileges are important. -- Regards, Anthony Liguori