[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Default to qemu:///system if accessible

On 06-09-2010 11:17, Daniel P. Berrange wrote:
> Our goal is to improve qemu://session's networking such that this 
> isn't a reason to use qemu://system anymore

Fair enough, but when that happens, I'm supposing people won't have
access to the system-wide UNIX socket anymore.

> Enabing use of qemu://session is key to solving a number of
> important security problems, not least that a user should be able to
> just keep the disk & iso images in their home directory and not have
> to worry about their ownership/permissions.


> In addition by running VMs directly under the user's session things
> like pulseaudio, SDL can directly access the X & GNOME sessions
> without further special config.

I was under the impression that currently targeted solution to at least
the audio problem was tunelling through VNC?

> This is ignoring two important use cases which are common in the 
> corporate world. Shared development servers where many users are on 
> one server, and personal workstations where the users are not
> allowed to have root.

I disagree. In both of those cases, I'd be surprised if people were able
to access the privileged libvirtd socket. In the former case, if people
generally had access to the systemwide libvirtd instance, I'd assume
that was because that was the one they were supposed to use for their
shared development stuff. In the latter case, with that sort of access,
I could have full root shell access within minutes, so that'd be a
pretty big security fail.

> The thing about heuristics is that they're never correct for 
> everyone. Your patch is making it more correct for one group of 
> people, and less correct for a different group of people. Further 
> making a significant functional change to libvirt that will break 
> things for people that are relying on the existing behaviour.

I understand the difficulty of heuristics. That's exactly why I think
this discussion is useful: It seeks to determine the accuracy of the
current heuristic, which I claim is inaccurate in all but extraordinary

> If someone wants to save typing they need merely set 
> LIBVIRT_CONNECT_URI to whatever they want and thus avoid the default 
> connection logic completely.

As you point out to Eric elsewhere in this thread, this is about
adjusting the behaviour of the heuristic, not about just providing a
default URI. I admit, though, that I did not know of the environment
variable to do this, which is called LIBVIRT_DEFAULT_URI, by the way :)

Soren Hansen
Ubuntu Developer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]