Re: [Qemu-devel] [PATCH] build: set up capabilities on qemu-bridge-helper

[Avi Kivity]

On 11/14/2013 03:29 PM, Stefan Hajnoczi wrote:
> On Tue, Nov 12, 2013 at 01:10:24PM +0200, Avi Kivity wrote:
> > Out-of-the-box, 'make install' sets up an unusable qemu-bridge-helper since
> > it doesn't have the required capabilities.
> >
> > Fix by adding them.
> Up until now, downstreams had to make the bridge helper executable
> setuid, add the cap_net_admin capability, or they did nothing and it was
> broken ;-).  CCing downstream package maintainers in case they have any
> comments on this patch.

And it was, indeed, broken.

> > Note: this may break installing as non-root.  This is actually the right
> > thing to do, since not setting up the capability would result in a broken
> > setup.  Perhaps we need a configure flag to disable helpers.
> Users who have been successfully installing QEMU would be upset if it
> suddenly starts failing after this patch.  The bridge helper is a niche
> feature that shouldn't cause a regression for the majority of users who
> don't care about it.
>
> If we're installing non-root then the bridge helper simply shouldn't be
> installed.

Or maybe installed without the capabilities?  This way if the user 
invokes qemu with sudo, it still works as before.