On Mon, Apr 04, 2011 at 08:02:26AM -0500, Anthony Liguori wrote: > On 04/04/2011 05:47 AM, Daniel P. Berrange wrote: > >>I'm hoping libvirt's behavior can be made to just work rather than > >>adding new features to QEMU. But perhaps passing file descriptors is > >>useful for more than just reopening host devices. This would > >>basically be a privilege separation model where the QEMU process isn't > >>able to open files itself but can request libvirt to open them on its > >>behalf. > >It is rather frickin' annoying the way udev resets the ownership > >when the media merely changes. If it isn't possible to stop udev > >doing this, then i think the only practical thing is to use ACLs > >instead of user/group ownership. We wanted to switch to ACLs in > >libvirt for other reasons already, but it isn't quite as simple > >as it sounds[1] so we've not done it just yet. > > Isn't the root of the problem that you're not running a guest in the > expected security context? That doesn't really have any impact. If a desktop user is logged in, udev may change the ownership to match that user, but if they aren't, then udev may reset it to root:disk. Either way, QEMU may loose permissions to the disk. > How much of a leap would it be to spawn a guest with the credentials > of the user that created/defined it? Or better yet, to let the user > be specified in the XML. That's a completely independent RFE which won't fix this issue in the general case. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list