On Tue, Apr 30, 2019 at 10:48:51AM +0100, Daniel P. Berrangé wrote: > On Tue, Apr 30, 2019 at 10:45:03AM +0100, Peter Crowther wrote: > > On Tue, 30 Apr 2019 at 10:40, Michal Privoznik <mprivozn@xxxxxxxxxx> wrote: > > > > > Is there any problem running libvirtd as root? > > > > > > Yes, in the regulated environment in which I work! I have to do far more > > thorough threat analysis than I would do if I knew which capabilities it > > had. So far, we've accepted the extra work; but it would be wonderful to > > be able to run a locked-down virtualisation environment. > > Libvirtd system mode will want cap_net_admin in order to setup TAP devices > and cap_sys_admin to manage disk permissions to grant QEMU access, at which > point you've lost any security benefit of running it unprivileged with > selective capabilities. Opps, I mean cap_dac_override not cap_sys_admin but the point still stands. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
