On Wed, Aug 08, 2007 at 05:22:33AM +0100, Daniel P. Berrange wrote: > UNIX domain sockets already provide a way for each end to identify the PID > and UID of the other end. This enables the libvirt daemon to determine the > identity of the application on the other end. With this information the > daemon merely needs to check this identity against some access control policy > rules. Where to get/define these rules though ? > > Enter PolicyKit. > > http://lists.freedesktop.org/archives/hal/2006-March/004770.html > http://lists.freedesktop.org/archives/hal/2007-June/008815.html This is entirely new to me, but I suspect this doesn't have any Solaris integration support (yet? I'm asking around about this). Nonetheless the basic concept (allow all access, authenticate the peer's credentials against some kind of database) translates well on Solaris. > - libvirtd defines two actions it can check called 'libvirt-local-monitor > (read only monitoring of state), and 'libvirt-local-manage' (full > read-write management). Good... but I think we need to consider true delegation as well, that is, allowing a certain credential to control only one named object. At least we need to make sure that's possible in the future without breaking anything here. > - libvirtd use SO_PEERCRED to get the PID of the client Solaris doesn't have this, but the more powerful getpeerucred(): http://docs.sun.com/app/docs/doc/819-2243/6n4i09924?a=view http://docs.sun.com/app/docs/doc/819-2243/6n4i099nf?a=view Typically, we would then compare either the process's privilege set or the user id. Privileges will likely have to come later but the user ID will translate directly into RBAC: http://www.samag.com/documents/s=7667/sam0213c/0213c.htm Now, it may be the case that we can fit into the Policy Kit framework and that work is ongoing, which would make things simple from libvirt point of view (only need to replace SO_PEERCRED by getpeerucred for now). I will endeavour to find out for you... regards john -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list