On Wed, Apr 29, 2015 at 03:44:46PM -0400, Cole Robinson wrote: > On 04/29/2015 03:42 PM, Guido Günther wrote: > > On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote: > >> Many users, who admin their own machines, want to be able to access > >> system libvirtd via tools like virt-manager without having to enter > >> a root password. Just google 'virt-manager without password' and > >> you'll find many hits. I've read at least 5 blog posts over the years > >> describing slightly different ways of achieving this goal. > >> > >> Let's finally add official support for this. > >> > >> Install a polkit-1 rules file granting password-less auth for any user > >> in the new 'libvirt' group. Create the group on RPM install > >> > >> https://bugzilla.redhat.com/show_bug.cgi?id=957300 > >> --- > >> daemon/50-libvirt.rules | 9 +++++++++ > >> daemon/Makefile.am | 13 +++++++++++++ > >> libvirt.spec.in | 15 +++++++++++++-- > >> 3 files changed, 35 insertions(+), 2 deletions(-) > >> create mode 100644 daemon/50-libvirt.rules > >> > >> diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules > >> new file mode 100644 > >> index 0000000..01a15fa > >> --- /dev/null > >> +++ b/daemon/50-libvirt.rules > >> @@ -0,0 +1,9 @@ > >> +// Allow any user in the 'libvirt' group to connect to system libvirtd > >> +// without entering a password. > >> + > >> +polkit.addRule(function(action, subject) { > >> + if (action.id == "org.libvirt.unix.manage" && > >> + subject.isInGroup("libvirt")) { > >> + return polkit.Result.YES; > >> + } > >> +}); > > > > That's what we're shipping in Debian since quiet some time: > > > > https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/60-libvirt.rules > > > > even with the same group name (which came from the group that owns the > > socket for socket based permissions). Would be great to be consistent > > across distros. > > > > Latest version of the patch uses libvirtadm at Dan's suggestion... but if > there's already precedent with what debian is shipping we might want to stick > with plain 'libvirt'. > > Dan, thoughts? Yeah, since both Suse and Debian have shipped this aready with a group name of 'libvirt', we should use that for consistency Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list