On 21.01.2012 02:13, Lutz Vieweg wrote: > On 01/05/2012 04:00 PM, Michael S. Tsirkin wrote: >> Just chmod /dev/vhost-net to allow access > > I wonder whether it's considered a security risk to allow non-root > users access to /dev/vhost-net? > > (Or is there a way to have root prepare limited use of vhost for only > some users or some network devices?)
Usual idiom is to create a dedicated group, chgrp /dev/vhost-net to this group and add g+rw permission. That lets you to add users to that group to grant them access. Initially it was believed that /dev/kvm poses no security implications whatsoever and can be mode 0666. But later on several security bugs has been discovered in this subsystem, so it is a good idea to not grant extra privileges by default. /mjt
