[Bug 522619] Re: libvirt launced kvm / qemu system processes run as root by default
Jamie Strandboge
jamie at ubuntu.com
Tue Feb 16 14:07:25 GMT 2010
This is discussed extensively in /usr/share/doc/libvirt-
bin/changelog.Debian.gz, but the bottom line is that in Ubuntu libvirt-
managed qemu/kvm VMs are confined by a very restrictive AppArmor profile
by default. This offers significantly greater protection than running
these VMs as an unconfined non-root user. For users who desire the non-
root functionality, libvirt in Ubuntu is compiled with the necessary
options and users need only adjust the 'user' and 'group' options in
/etc/libvirt/qemu.conf.
Of course, AppArmor confinement and running as non-root are not mutually
exclusive, however it was deemed that the risk of regression with
transitioning to the non-root setup for our upcoming LTS release was too
great when compared to the small improvement in security when
considering the default AppArmor confinement. This will likely be
revisited in a future release of Ubuntu.
** Changed in: libvirt (Ubuntu)
Importance: Undecided => Wishlist
** Changed in: libvirt (Ubuntu)
Status: New => Triaged
--
libvirt launced kvm / qemu system processes run as root by default
https://bugs.launchpad.net/bugs/522619
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libvirt in ubuntu.
More information about the Ubuntu-server-bugs
mailing list