Re: [PATCH] polkit: Allow password-less access for 'libvirt' group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
> Many users, who admin their own machines, want to be able to access
> system libvirtd via tools like virt-manager without having to enter
> a root password. Just google 'virt-manager without password' and
> you'll find many hits. I've read at least 5 blog posts over the years
> describing slightly different ways of achieving this goal.
> 
> Let's finally add official support for this.
> 
> Install a polkit-1 rules file granting password-less auth for any user
> in the new 'libvirt' group. Create the group on RPM install
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=957300
> ---
>  daemon/50-libvirt.rules |  9 +++++++++
>  daemon/Makefile.am      | 13 +++++++++++++
>  libvirt.spec.in         | 15 +++++++++++++--
>  3 files changed, 35 insertions(+), 2 deletions(-)
>  create mode 100644 daemon/50-libvirt.rules
> 
> diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules
> new file mode 100644
> index 0000000..01a15fa
> --- /dev/null
> +++ b/daemon/50-libvirt.rules
> @@ -0,0 +1,9 @@
> +// Allow any user in the 'libvirt' group to connect to system libvirtd
> +// without entering a password.
> +
> +polkit.addRule(function(action, subject) {
> +    if (action.id == "org.libvirt.unix.manage" &&
> +        subject.isInGroup("libvirt")) {
> +        return polkit.Result.YES;
> +    }
> +});

That's what we're shipping in Debian since quiet some time:

    https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/60-libvirt.rules

even with the same group name (which came from the group that owns the
socket for socket based permissions). Would be great to be consistent
across distros.

> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
> index 300b9a5..e200ac1 100644
> --- a/daemon/Makefile.am
> +++ b/daemon/Makefile.am
> @@ -53,6 +53,7 @@ EXTRA_DIST =						\
>  	libvirtd.init.in				\
>  	libvirtd.upstart				\
>  	libvirtd.policy.in				\
> +	50-libvirt.rules				\
>  	libvirtd.sasl					\
>  	libvirtd.service.in				\
>  	libvirtd.socket.in				\
> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
>  else ! WITH_POLKIT0
>  policydir = $(datadir)/polkit-1/actions
>  policyauth = auth_admin_keep
> +rulesdir = $(datadir)/polkit-1/rules.d
> +rulesfile = 50-libvirt.rules
>  endif ! WITH_POLKIT0
>  endif WITH_POLKIT
>  
> @@ -263,9 +266,19 @@ if WITH_POLKIT
>  install-data-polkit::
>  	$(MKDIR_P) $(DESTDIR)$(policydir)
>  	$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> +if ! WITH_POLKIT0
> +	$(MKDIR_P) $(DESTDIR)$(rulesdir)
> +	$(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)
> +endif ! WITH_POLKIT0
> +
>  uninstall-data-polkit::
>  	rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
>  	rmdir $(DESTDIR)$(policydir) || :
> +if ! WITH_POLKIT0
> +	rm -f $(DESTDIR)$(rulesdir)/$(rulesfile)
> +	rmdir $(DESTDIR)$(rulesdir)
> +endif ! WITH_POLKIT0
> +
>  else ! WITH_POLKIT
>  install-data-polkit::
>  uninstall-data-polkit::
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 20af502..c71ef25 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -1645,9 +1645,9 @@ then
>  fi
>  
>  %if %{with_libvirtd}
> +%pre daemon
>      %if ! %{with_driver_modules}
>          %if %{with_qemu}
> -%pre daemon
>              %if 0%{?fedora} || 0%{?rhel} >= 6
>  # We want soft static allocation of well-known ids, as disk images
>  # are commonly shared across NFS mounts by id rather than name; see
> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
>      useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
>    fi
>  fi
> -exit 0
>              %endif
>          %endif
>      %endif
>  
> +    %if %{with_polkit}
> +        %if 0%{?fedora} || 0%{?rhel} >= 6
> +# 'libvirt' group is just to allow password-less polkit access to
> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
> +# described at the above link.
> +getent group libvirt >/dev/null || groupadd -r libvirt
> +        %endif
> +    %endif
> +
> +exit 0
> +
>  %post daemon
>  
>      %if %{with_systemd}
> @@ -1939,6 +1949,7 @@ exit 0
>          %if 0%{?fedora} || 0%{?rhel} >= 6
>  %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
>  %{_datadir}/polkit-1/actions/org.libvirt.api.policy
> +%{_datadir}/polkit-1/rules.d/50-libvirt.rules
>          %else
>  %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
>          %endif
> -- 
> 2.3.6
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

ACK.
 -- Guido

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]