> Exit scripts could be suid if needed. Scripts cannot be suid, because the executable is their interpreter, iow /bin/sh, which in turn is not setuid-root.
> The exit scripts could simply notify some other privlidged process > that they are shutting down. This is better. Even better would be a monitoring process that doesn't need to be signaled. (Coincidentally, this would also add the possibility of adding reliably-fired exit-time hooks.) >> Can qemu create the tap interface without root privilege ? (...) > tunctl -t tap0 -u myuser Create - no, but they can be assigned a user. The iproute2 version of the above command would be: $ ip tuntap add tap0 mode tap user myuser You can even mknod them into a node-file (which is how they work on BSDs.) Also, qemu has a helper-script parameter which can be used to have them created. This would have to be a compiled program and doesn't even need to be suid-root - all it needs is CAP_NET_ADMIN. There are a few ioctls that the user cannot issue to tap devices, though, I'm not sure qemu needs those. (socat for instance fails on taps as a user). But this can be easily patched if necessary. Personally I'd like to generally aim for a whitelist permission model. I.o.w.: never actually use root or setuid-root executables, but provide the necessary POSIX capabilities, apparmor permissions and filesystem access. But I fear it's a long and rocky road to get there. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
