Ubuntu
qemu package

Bug #103010
Comment #11

Comment 11 for bug 103010

Revision history for this message

Chris Bainbridge (chris-bainbridge) wrote on 2010-03-09:

#11

Kees: I know about the wiki page - I'm the one who edited it to note this issue. It is not true that file capabilities only work in Lucid - I am using Karmic and it works fine. libcap2-bin is also not a PAM package. It is also not true that you need to manually add users to /etc/security/capability.conf. I will corrrect these points in the Wiki.

It is true that with CAP_NET_ADMIN capability any user could boot a VM and gain access to a virtual ethernet device. That's the whole point. I would assume that the majority of people installing qemu would actually want to be able to create bridged virtual ethernet devices. VirtualBox allows normal users to create bridged ethernet devices that could be used to "disrupt networking". Why should qemu be different? If you are concerned about users directly abusing the capability with their own software then this is not possible - giving the qemu binary the capability means that only that binary gets the capability - other binaries executed by the same user do not get the capability. Access to /dev/net/tun can still be controlled using standard file permissions as usual.

Using a file capability would obviously be preferable as it would not require individual users to be manually assigned the capability, and could be done in postinst and would survive qemu package upgrades. The only way someone could disrupt the network in this way is if they:

1) Were allowed to run qemu
2) Had rw access to /dev/net/tun
3) Had some exploit for qemu to allow them to run some arbitrary network disrupting code

Basically, whatever potential problems there are, the same problems are also present in VirtualBox, and yet that ships with working network bridging for VMs (the mechanism is different, but the fundamental problems are the same). Why can't qemu have working bridged networking? Why not create a "tun" group that has rw access to /dev/net/tun if that is the problem you are trying to avoid?

And if making the existing package work is unacceptable, then why not create a "qemu-kvm-working-bridged-networking" package and recommend that users who want bridged network use that instead?

It is true that with CAP_NET_ADMIN capability any user could boot a VM and gain access to a virtual ethernet device. That's the whole point. I would assume that the majority of people installing qemu would actually want to be able to create bridged virtual ethernet devices. VirtualBox allows normal users to create bridged ethernet devices that could be used to "disrupt networking". Why should qemu be different? If you are concerned about users directly abusing the capability with their own software then this is not possible - giving the qemu binary the capability means that only that binary gets the capability - other binaries executed by the same user do not get the capability.  Access to /dev/net/tun can still be controlled using standard file permissions as usual.

1) Were allowed to run qemu
2) Had rw access to /dev/net/tun
3) Had some exploit for qemu to allow them to run some arbitrary network disrupting code

Basically, whatever potential problems there are, the same problems are also present in VirtualBox, and yet that ships with working network bridging for VMs (the mechanism is different, but the fundamental problems are the same). Why can't qemu have working bridged networking? Why not  create a "tun" group that has rw access to /dev/net/tun if that is the problem you are trying to avoid?

And if making the existing package work is unacceptable, then why not create a "qemu-kvm-working-bridged-networking" package and recommend that users who want bridged network use that instead?

Ubuntuqemu package

Comment 11 for bug 103010

Ubuntu
qemu package