[vbox-dev] [PATCH] VirtualBox docs for VDE fix
Renzo Davoli
renzo at cs.unibo.it
Mon Feb 27 02:02:37 PST 2012
On Mon, Feb 27, 2012 at 10:38:15AM +0100, Klaus Espenlaub wrote:
> Hi Alexey,
>
> the proposed docs patch isn't acceptable. It means drilling an
> unnecessary big hole into the access rights system. Don't assume that
> you're the only user on the system. If we document things this way
> people will report security issues in the manual.
>
> Solutions which use groups or other approaches are welcome...
>
I don't know if it helps:
vde_switch permits access mode and group to be defined in its command
line (without the need of a chmod).
e.g.
vde_switch -s /tmp/switch1 -mod 0770 -group mygroup
Users can start their own switches with the permissions they like.
The only limitation is the access to a tap interface, as a user
it is (clearly) forbidden.
We use two methods:
1- we start one or more vde_switches at boot time (using a /etc/init.d
script). IP addresses(e.g. dhcp, IPv6 autoconfiguration)/routing is
defined for each switch by the sysadm.
Users' virtual machines are allowed to join the switches depending on the
permission defined. (typically group based permissions as above).
This approach is similar to a LAN in a lab where users are allowed to
plug their machines. IF there are more labs, users can join the LANs of
the labs they are allowed to enter.
We use this for the VM of our students: lot of users, a few tap
interfaces.
2- it is possible to pre-allocate tap interfaces using tunctl or our
vde_tunctl, and assign them to specific users.
Each user can then start his/her vde_switch and connect it to his/her own
tap. (one tap for each user).
renzo
More information about the vbox-dev
mailing list