Re: libvirt daemon UNIX socket auth with PolicyKit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 08, 2007 at 05:22:33AM +0100, Daniel P. Berrange wrote:

> UNIX domain sockets already provide a way for each end to identify the PID
> and UID of the other end. This enables the libvirt daemon to determine the
> identity of the application on the other end. With this information the
> daemon merely needs to check this identity against some access control policy
> rules. Where to get/define these rules though ?
> 
> Enter PolicyKit.
> 
>   http://lists.freedesktop.org/archives/hal/2006-March/004770.html
>   http://lists.freedesktop.org/archives/hal/2007-June/008815.html

This is entirely new to me, but I suspect this doesn't have any Solaris
integration support (yet? I'm asking around about this).

Nonetheless the basic concept (allow all access, authenticate the peer's
credentials against some kind of database) translates well on Solaris.

>   - libvirtd defines two actions it can check called 'libvirt-local-monitor
>     (read only monitoring of state), and 'libvirt-local-manage' (full
>     read-write management).

Good... but I think we need to consider true delegation as well, that
is, allowing a certain credential to control only one named object. At
least we need to make sure that's possible in the future without
breaking anything here.

>   - libvirtd use SO_PEERCRED to get the PID of the client

Solaris doesn't have this, but the more powerful getpeerucred():

http://docs.sun.com/app/docs/doc/819-2243/6n4i09924?a=view
http://docs.sun.com/app/docs/doc/819-2243/6n4i099nf?a=view

Typically, we would then compare either the process's privilege set or
the user id. Privileges will likely have to come later but the user ID
will translate directly into RBAC:

http://www.samag.com/documents/s=7667/sam0213c/0213c.htm

Now, it may be the case that we can fit into the Policy Kit framework
and that work is ongoing, which would make things simple from libvirt
point of view (only need to replace SO_PEERCRED by getpeerucred for
now). I will endeavour to find out for you...

regards
john

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]