Jamie Lokier wrote:
Anthony Liguori wrote:
Let's not kid ourselves, no matter what we do we're giving a user
elevated privileges. Even with NAT, if the host can access the NAT'ed
network, then you can run a privileged service (like NFS) in that
network.
I don't see how outgoing NAT (SNAT), where the guest can make
_outgoing_ connections to the network, allows the guest to run a
privileged service accessible to the network. Sure, the guest can run
an NFS server, but it means nothing to the outside - it's on the
guest's own private little network. Same as Slirp.
The guest cannot even make an outgoing request which appears to come
from an privileged port - if the SNAT rule has the appropriate options
to force the port into an unprivileged range.
For the guest's NFS server to be visible to the network requires
incoming NAT (DNAT) on the host, often called "port forwarding". But
that is done by explicit administration; if you can do that, you can
run a privileged service on the host anyway.
You are correct except that I qualified this as NAT with host access
which so far is the common model. If the host can access the NAT'd
network behind the NAT, then port privileges are important.
--
Regards,
Anthony Liguori
