On Fri, Apr 04, 2008 at 09:55:50AM +0200, Jim Meyering wrote: > "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote: > > This patch makes two adjustments to the way policy kit authentication is > > done. > > > > - Currently the server unconditionally ask the client to do policykit > > authentication. This is unnecessary if the remote client is running > > as root, which we can check via UNIX socket credentials. Unconditionally > > asking plays havoc with SSH tunneling, so this patch makes it check the > > socket credentials ¬ ask for auth if the client is UID==0 > > > > - The virsh client will unconditionally call polkit-auth to request > > credentials. This is also unneccessary if the client is running as > > root, so this patch makes it skip that step as root. > > > > The patch is bigger than it seems because removing an if() conditional > > made a huge chunk be re-indented. > > Good idea. Looks fine. > ACK. > > [BTW, thanks for the SO_PEERCRED example -- I didn't know about it, > and was surprised to find so little documentation on it. ] The code for UNIX socket credential checking can be made portable, but it's really a big mess, in gamin I also allow CMSGCRED, which increase portability a bit. I remember looking in glib at the time for this kind of code, but as the comment point out DBus code should have a fairly complete and up to date set. Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard@xxxxxxxxxx | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/ -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list