From: Wei Liu <wei.liu2@citrix.com>
To: Anthony PERARD <anthony.perard@citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>,
Wei Liu <wei.liu2@citrix.com>,
xen-devel@lists.xen.org
Subject: Re: [PATCH] libxl: Do not warn about non existing user for the device model
Date: Mon, 23 May 2016 15:14:59 +0100 [thread overview]
Message-ID: <20160523141459.GB22076@citrix.com> (raw)
In-Reply-To: <20160523140917.GB1184@perard.uk.xensource.com>
On Mon, May 23, 2016 at 03:09:17PM +0100, Anthony PERARD wrote:
> On Mon, May 23, 2016 at 12:57:26PM +0100, Wei Liu wrote:
> > On Mon, May 23, 2016 at 12:35:02PM +0100, Anthony PERARD wrote:
> > > Running QEMU as non-root user is not ready yet, so avoid avertising it
> > > with a warning.
> > >
> > > Also improve the doc to include more potential issue with running QEMU
> > > as non-root.
> > >
> > > Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> > > ---
> > > docs/man/xl.cfg.pod.5 | 5 +++--
> > > docs/misc/qemu-deprivilege.txt | 4 ++--
> > > tools/libxl/libxl_dm.c | 2 +-
> > > 3 files changed, 6 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/docs/man/xl.cfg.pod.5 b/docs/man/xl.cfg.pod.5
> > > index accd9b4..8a4f4c5 100644
> > > --- a/docs/man/xl.cfg.pod.5
> > > +++ b/docs/man/xl.cfg.pod.5
> > > @@ -1953,8 +1953,9 @@ option to the device-model.
> > >
> > > Run the device model as user "username", instead of
> > > B<xen-qemuuser-domid$domid> or B<xen-qemuuser-shared> or B<root>.
> > > -Please note that running QEMU as non-root causes migration and PCI
> > > -passthrough not to work properly.
> > > +Please note that running QEMU as non-root causes several features like
> > > +migration and PCI passthrough to not work properly and may prevent the guest
> > > +from booting.
> > >
> >
> > What is not clear is that whether using this option would buy the user
> > anything security-wise. If it doesn't improve security but only break
> > things we should probably remove it from man page all together.
>
> If having undocumented config options is fine, then I guess we can
> remove this from the man.
>
I would say it is OK to have some WIP options to go undocumented --
because you don't want users to use them anyway.
Another way is to state explicitly in manpage that people should not use
this option because it doesn't provide extra security at this stage.
Ian, do you have any opinion on this?
Wei.
> --
> Anthony PERARD
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-05-23 14:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-20 15:48 [PATCH] docs: Fix device_model_user description of its default value Anthony PERARD
2016-05-20 16:34 ` Ian Jackson
2016-05-20 16:40 ` Andrew Cooper
2016-05-20 16:48 ` Anthony PERARD
2016-05-20 16:53 ` Wei Liu
2016-05-23 11:21 ` George Dunlap
2016-05-23 11:35 ` [PATCH] libxl: Do not warn about non existing user for the device model Anthony PERARD
2016-05-23 11:57 ` Wei Liu
2016-05-23 14:09 ` Anthony PERARD
2016-05-23 14:14 ` Wei Liu [this message]
2016-05-23 15:49 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160523141459.GB22076@citrix.com \
--to=wei.liu2@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).