Daniel P. Berrange wrote:
We currently have logic in the remote driver so that it handles the local QEMU driver URIs, so they get re-directed to the daemon. It also handles networking APIs for Xen driver. For normal APIs, Xen has the auto-spawned setuid proxy daemon. This was very useful at the time we wrote it, but it only supports a handful of operations, and only in read-only mode. One other factor is that SUSE, for example, do not ship it because it is setuid. I don't know whether this is just a general policy, or just because they've not had time to audit it, but that's not very good for their users.
Yep. Reason is the former. But this can be overridden (followed by an audit) if there is a good case. Apparently my case wasn't strong enough. Too be fair though, I didn't push hard. And now that I've seen this mail I'm reminded that I wanted to push this for openSUSE 10.3 -- which went GM today :-(. Jim