[Virtio-fs] [RFC] About non-root virtiofsd(1) process
Vivek Goyal
vgoyal at redhat.com
Tue Feb 16 14:36:35 UTC 2021
On Tue, Jan 19, 2021 at 08:04:29PM +0530, P J P wrote:
> +-- On Mon, 18 Jan 2021, Stefan Hajnoczi wrote --+
> | Guest applications may run with different uids/gids. The host has no control
> | over that.
> |
> | Imagine booting a guest form a virtio-fs root file system and installing
> | packages. The guest must be able to control uids/gids for that to work.
>
> * I see; I'll try to better understand how it's done.
>
> * With UID namespaces, I thought virtiofsd(1) would be able to operate files
> with arbitrary uid/gid, even after dropping its root privileges to acquire
> non-root privileges on the host; Because it has 'root' privileges under the
> shared directory & UID namespace.
>
> | > $ ./virtiofsd -runas test -o source=...
> |
> | Patches for this are welcome.
>
> * Okay, will try.
Catching up with this thread now.
I had posted minimal patches to allow running virtiofsd unpriviliged.
They did not make further progress though.
https://patchew.org/QEMU/20200730194736.173994-1-vgoyal@redhat.com/
While being able to run virtiofsd in a user namespace is certainly
valuable, I feel being able to run virtiofsd unpriviliged has it
use cases as well. For example, if a user wants to share just its
home directory on host with guest. In that case, we probably don't
require lot of priviliged operations to be performed by virtiofsd.
Vivek
More information about the Virtio-fs
mailing list