On Mon, Feb 27, 2012 at 10:38:15AM +0100, Klaus Espenlaub wrote: > Hi Alexey, > > the proposed docs patch isn't acceptable. It means drilling an > unnecessary big hole into the access rights system. Don't assume that > you're the only user on the system. If we document things this way > people will report security issues in the manual. > > Solutions which use groups or other approaches are welcome... >
I don't know if it helps: vde_switch permits access mode and group to be defined in its command line (without the need of a chmod). e.g. vde_switch -s /tmp/switch1 -mod 0770 -group mygroup Users can start their own switches with the permissions they like. The only limitation is the access to a tap interface, as a user it is (clearly) forbidden. We use two methods: 1- we start one or more vde_switches at boot time (using a /etc/init.d script). IP addresses(e.g. dhcp, IPv6 autoconfiguration)/routing is defined for each switch by the sysadm. Users' virtual machines are allowed to join the switches depending on the permission defined. (typically group based permissions as above). This approach is similar to a LAN in a lab where users are allowed to plug their machines. IF there are more labs, users can join the LANs of the labs they are allowed to enter. We use this for the VM of our students: lot of users, a few tap interfaces. 2- it is possible to pre-allocate tap interfaces using tunctl or our vde_tunctl, and assign them to specific users. Each user can then start his/her vde_switch and connect it to his/her own tap. (one tap for each user). renzo _______________________________________________ vbox-dev mailing list [email protected] https://www.virtualbox.org/mailman/listinfo/vbox-dev
