---- "Kevin F. Quinn" <[EMAIL PROTECTED]> wrote: > On Fri, 9 Feb 2007 22:48:51 +0000 > Paul Brook <[EMAIL PROTECTED]> wrote: > > > I've very little sympathy (read: none) for people who "accidentally" > > break things by running them as root. > > On a related note, I've been running qemu(-system 0.8.2) as root > recently as a hopefully temporary measure so that it can setup the > network interfaces. Recent linux kernels require CAP_NET_ADMIN for the > tun network configuration that qemu does (specifically the TUNSETIFF > ioctl), and the only way to get the capability is to start the process > as root. > > Other capabilities could be dropped; as indeed could CAP_NET_ADMIN once > the network configuration is done, but that means modifications to qemu > itself to release the capabilities, and would still leave qemu as a > suid-root binary, which it would be nicer to avoid. > > Is there any way around this? I expected to be able to configure > capabilities for executables in the filesystem, but it appears there > are serious problems with that concept so the kernel doesn't support > it.
I just dealt with that. I got a patch for tap for Solaris and I have a setuid script that creates the tap and uses the /etc/qemu-ifup script to configure the interface, then calls a script with the file descriptor of the tap interface to a script which then invokes qemu with the right parameteres. Ben _______________________________________________ Qemu-devel mailing list Qemu-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/qemu-devel
