[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] libvirtd via unix socket using system uri



On Tue, Apr 30, 2019 at 10:45:03AM +0100, Peter Crowther wrote:
> On Tue, 30 Apr 2019 at 10:40, Michal Privoznik <mprivozn redhat com> wrote:
> 
> > Is there any problem running libvirtd as root?
> >
> > Yes, in the regulated environment in which I work!  I have to do far more
> thorough threat analysis than I would do if I knew which capabilities it
> had.  So far, we've accepted the extra work; but it would be wonderful to
> be able to run a locked-down virtualisation environment.

Libvirtd system mode will want cap_net_admin in order to setup TAP devices
and cap_sys_admin to manage disk permissions to grant QEMU access, at which
point you've lost any security benefit of running it unprivileged with
selective capabilities.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]