I found there's a way for a unprivileged user to overwrite sensitive system file with virsh, here's how: 1. (as an unprivileged user) start virsh and connect to the r/w socket of libvirtd: virsh -c qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock 2. start a guest, then issue 'save' or 'dump' command, giving a sensitive system file path as the <file> parameter, for example, '/etc/passwd'; 3. the sensitive system file will be overwritten; Attached is a test log. I'm using libvirt-0.8.7 on a OpenClient for RHEL 6.1. And latest libvirt code shows the same symptom. BTW, virsh expands the <file> parameter in step to an absolute path if user-provided is not, and libvirtd interprets it as a local file. IMHO it does not look quite right, especially when the virsh-to-libvirtd connection is remote. -- Thanks. Hong Xiang