On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote: > Many users, who admin their own machines, want to be able to access > system libvirtd via tools like virt-manager without having to enter > a root password. Just google 'virt-manager without password' and > you'll find many hits. I've read at least 5 blog posts over the years > describing slightly different ways of achieving this goal. > > Let's finally add official support for this. > > Install a polkit-1 rules file granting password-less auth for any user > in the new 'libvirt' group. Create the group on RPM install > > https://bugzilla.redhat.com/show_bug.cgi?id=957300 > --- > daemon/50-libvirt.rules | 9 +++++++++ > daemon/Makefile.am | 13 +++++++++++++ > libvirt.spec.in | 15 +++++++++++++-- > 3 files changed, 35 insertions(+), 2 deletions(-) > create mode 100644 daemon/50-libvirt.rules > > diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules > new file mode 100644 > index 0000000..01a15fa > --- /dev/null > +++ b/daemon/50-libvirt.rules > @@ -0,0 +1,9 @@ > +// Allow any user in the 'libvirt' group to connect to system libvirtd > +// without entering a password. > + > +polkit.addRule(function(action, subject) { > + if (action.id == "org.libvirt.unix.manage" && > + subject.isInGroup("libvirt")) { > + return polkit.Result.YES; > + } > +}); That's what we're shipping in Debian since quiet some time: https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/60-libvirt.rules even with the same group name (which came from the group that owns the socket for socket based permissions). Would be great to be consistent across distros. > diff --git a/daemon/Makefile.am b/daemon/Makefile.am > index 300b9a5..e200ac1 100644 > --- a/daemon/Makefile.am > +++ b/daemon/Makefile.am > @@ -53,6 +53,7 @@ EXTRA_DIST = \ > libvirtd.init.in \ > libvirtd.upstart \ > libvirtd.policy.in \ > + 50-libvirt.rules \ > libvirtd.sasl \ > libvirtd.service.in \ > libvirtd.socket.in \ > @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session > else ! WITH_POLKIT0 > policydir = $(datadir)/polkit-1/actions > policyauth = auth_admin_keep > +rulesdir = $(datadir)/polkit-1/rules.d > +rulesfile = 50-libvirt.rules > endif ! WITH_POLKIT0 > endif WITH_POLKIT > > @@ -263,9 +266,19 @@ if WITH_POLKIT > install-data-polkit:: > $(MKDIR_P) $(DESTDIR)$(policydir) > $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy > +if ! WITH_POLKIT0 > + $(MKDIR_P) $(DESTDIR)$(rulesdir) > + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir) > +endif ! WITH_POLKIT0 > + > uninstall-data-polkit:: > rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy > rmdir $(DESTDIR)$(policydir) || : > +if ! WITH_POLKIT0 > + rm -f $(DESTDIR)$(rulesdir)/$(rulesfile) > + rmdir $(DESTDIR)$(rulesdir) > +endif ! WITH_POLKIT0 > + > else ! WITH_POLKIT > install-data-polkit:: > uninstall-data-polkit:: > diff --git a/libvirt.spec.in b/libvirt.spec.in > index 20af502..c71ef25 100644 > --- a/libvirt.spec.in > +++ b/libvirt.spec.in > @@ -1645,9 +1645,9 @@ then > fi > > %if %{with_libvirtd} > +%pre daemon > %if ! %{with_driver_modules} > %if %{with_qemu} > -%pre daemon > %if 0%{?fedora} || 0%{?rhel} >= 6 > # We want soft static allocation of well-known ids, as disk images > # are commonly shared across NFS mounts by id rather than name; see > @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then > useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu > fi > fi > -exit 0 > %endif > %endif > %endif > > + %if %{with_polkit} > + %if 0%{?fedora} || 0%{?rhel} >= 6 > +# 'libvirt' group is just to allow password-less polkit access to > +# libvirtd. The uid number is irrelevant, so we use dynamic allocation > +# described at the above link. > +getent group libvirt >/dev/null || groupadd -r libvirt > + %endif > + %endif > + > +exit 0 > + > %post daemon > > %if %{with_systemd} > @@ -1939,6 +1949,7 @@ exit 0 > %if 0%{?fedora} || 0%{?rhel} >= 6 > %{_datadir}/polkit-1/actions/org.libvirt.unix.policy > %{_datadir}/polkit-1/actions/org.libvirt.api.policy > +%{_datadir}/polkit-1/rules.d/50-libvirt.rules > %else > %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy > %endif > -- > 2.3.6 > > -- > libvir-list mailing list > libvir-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvir-list > ACK. -- Guido -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list