qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] Security house-cleaning


From: Panagiotis Issaris
Subject: Re: [Qemu-devel] [PATCH] Security house-cleaning
Date: Thu, 17 Jun 2004 17:24:43 +0200
User-agent: Mozilla Thunderbird 0.6 (X11/20040605)

Hi Renzo,

Renzo Davoli wrote:

On Thu, Jun 17, 2004 at 04:07:20PM +0100, Gianni Tedesco wrote:
Thats only worrisome from a security perspective if qemu was designed to
run SUID, which I doubt that it is... Of course it's a bug and needs
fixing though.

One of the main pros of Qemu (among the others) it that it has been
designed NOT to run SUID.
The only piece of code that need root access is tuntap networking.
This problem can be circunvented by:
- using sudo for tuntap
If you run it using sudo, you can limit the users who are allowed
to run it, but the process will still run as root, which will not
prevent exploits being able to run with root-permissions.

- using user net (a.k.a slirp)
- using vde.

With friendly regards,
Takis

--
------------------------------------------------------------------------
Panagiotis Issaris
Katholieke Universiteit Leuven
Division Production Engineering,
Machine Design and Automation
Celestijnenlaan 300B              address@hidden
B-3001 Leuven Belgium                 http://www.mech.kuleuven.ac.be/pma
------------------------------------------------------------------------

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]