tag 630701 + wontfix thanks 16.06.2011 15:57, Arno Schuring wrote: > Package: qemu-kvm > Version: 0.14.1+dfsg-1 > Severity: wishlist > > Using KVM with tap-based network interfaces, I need to set the cap_net_admin > capability on the kvm binary because I want to start VMs as a normal user. > However, on every package upgrade, the binary files are overwritten and the > capabilities are lost.
You're doing it wrong. Please don't assign cap_net_admin to kvm binary. If you want to be able to use tap networking, pre-configure a few tap devices in /etc/network/interfaces or in /etc/rc.local (together with adding them to appropriate bridges and whatnot) and assign them user/group permissions. By giving cap_net_admin to kvm binary you effectively gives it full control over your network, which includes reconfiguration of your eth0, adding/removing bridges and whatnot. It's too much. And when you allow regular users to create tap devices like that, you'll have to give them additional powers anyway, since these tap devices needs to be configured too, which is done in the script (usually /etc/kvm/kvm-ifup) executed by kvm. > Is there any possibility of having such capabilities preserved on upgrade? This should be done at dpkg level, in a way similar to dpkg statoverride mechanism. You may want to file a wishlist bug against dpkg. But again, your problem is better be solved by a different way. /mjt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
