[libvirt] [PATCH] qemu.conf: Change the example user from 'root' to 'qemu'

Kashyap Chamarthy kchamart at redhat.com
Fri Jun 1 15:05:30 UTC 2018 

On Fri, Jun 01, 2018 at 02:11:12PM +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 01, 2018 at 02:46:40PM +0200, Peter Krempa wrote:
> > On Fri, Jun 01, 2018 at 13:32:20 +0100, Daniel Berrange wrote:

[...]

> > > The reason the config file documents 'root' is because that is what
> > > configure defaults to.  If you pass --with-qemu-user to configure,
> > > we don't update the config file example though, and perhaps we should.

Thanks for that 'configure' context.

> > > Alternatively should we make configure defualt to 'qemu' instead of
> > > 'root', since it is generally considered insane to run QEMU as root.
> > 
> > But user 'qemu' is not by default present on all systems. Even the
> > libvirt.spec file creates the account.
> 
> Yes, that's the reason configure defaults to 'root', but I really hate
> the fact that we default to a config that no one should ever run in
> practice.
> 
> We could check for existance of 'qemu' in configure and complain if
> it is missing, but that's painful in itself as it is valid to build
> on a host without the user, as long as it exists at runtime.
> 
> I tend to think we should just blindly use qemu/qemu by default and
> document that creating these accounts is a requirement. Users will
> quickly see if they're missing  when they try to start a guest.

I'll try to audit what user all the different distributions (that
matter) use to launch QEMU.  If they are all are using 'qemu' anyway,
then probably we can just go with 'qemu:qemu', and document the
requirement as such.

> > As a second thought, we generally use commented-out bits that are the
> > non-default configuration. So this fits the pattern in the extent that
> > any sane distro specified it's own user/group using the configure
> > options and if for any reason the user wants to run this as root it's
> > done just by uncommenting it.
> 
> Most commented out bits are not a security flaw if uncommented though.
> The fact that we show 'user=root' in the config file though puts across
> the misleading idea that it is a reasonable thing todo, when in fact it
> is a horribly insecure thing todo.

Yeah, indeed.

-- 
/kashyap

More information about the libvir-list mailing list