On Mon, Apr 4, 2011 at 5:43 PM, Anthony Liguori <anthony(a)codemonkey.ws> wrote:
On 04/04/2011 09:26 AM, Daniel P. Berrange wrote:
>
> On Mon, Apr 04, 2011 at 09:19:36AM -0500, Anthony Liguori wrote:
>>
>> On 04/04/2011 08:16 AM, Daniel P. Berrange wrote:
>>>
>>> That doesn't really have any impact. If a desktop user is logged
>>> in, udev may change the ownership to match that user, but if they
>>> aren't, then udev may reset it to root:disk. Either way, QEMU
>>> may loose permissions to the disk.
>>
>> Then if you create a guest without being in the 'disk' group, it'll
>> fail. That's pretty expected AFAICT.
>
> We don't *ever* want to put QEMU in the 'disk' group because
> that gives it access to any disk on the system in general.
If that's what the user wants to do, what's the problem with doing it?
Setting the global user/group is not enough because just because you have
one VM that you want in disk doesn't mean you want all of them in disk.
Privilege separated QEMU sounds so interesting that I'd go for that
direction. There could be helper processes which retain privileges and
communicate with the main unprivileged QEMU with only file
descriptors. The helpers could even execute setgid disk group
re-opener for the CD-ROM case, or ask libvirt to do the reopen. For
unprivileged QEMU part it wouldn't matter, all it sees are the
descriptors.