On Thu, Apr 30, 2015 at 09:14:13AM -0400, Cole Robinson wrote: > Many users, who admin their own machines, want to be able to access > system libvirtd via tools like virt-manager without having to enter > a root password. Just google 'virt-manager without password' and > you'll find many hits. I've read at least 5 blog posts over the years > describing slightly different ways of achieving this goal. > > Let's finally add official support for this. > > Install a polkit-1 rules file granting password-less auth for any user > in the new 'libvirt' group. Create the group on RPM install > > https://bugzilla.redhat.com/show_bug.cgi?id=957300 > --- > v3: > Back to group=libvirt to match what debian and suse are using > > Patch is unchanged otherwise. So unless there's objects all carry > over the previous ACK from danpb and push after the release is out > > daemon/Makefile.am | 13 +++++++++++++ > daemon/libvirt.rules | 9 +++++++++ > libvirt.spec.in | 15 +++++++++++++-- > 3 files changed, 35 insertions(+), 2 deletions(-) > create mode 100644 daemon/libvirt.rules > > diff --git a/daemon/Makefile.am b/daemon/Makefile.am > index 300b9a5..974feed 100644 > --- a/daemon/Makefile.am > +++ b/daemon/Makefile.am > @@ -53,6 +53,7 @@ EXTRA_DIST = \ > libvirtd.init.in \ > libvirtd.upstart \ > libvirtd.policy.in \ > + libvirt.rules \ > libvirtd.sasl \ > libvirtd.service.in \ > libvirtd.socket.in \ > @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session > else ! WITH_POLKIT0 > policydir = $(datadir)/polkit-1/actions > policyauth = auth_admin_keep > +rulesdir = $(datadir)/polkit-1/rules.d > +rulesfile = libvirt.rules > endif ! WITH_POLKIT0 > endif WITH_POLKIT > > @@ -263,9 +266,19 @@ if WITH_POLKIT > install-data-polkit:: > $(MKDIR_P) $(DESTDIR)$(policydir) > $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy > +if ! WITH_POLKIT0 > + $(MKDIR_P) $(DESTDIR)$(rulesdir) > + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules > +endif ! WITH_POLKIT0 > + > uninstall-data-polkit:: > rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy > rmdir $(DESTDIR)$(policydir) || : > +if ! WITH_POLKIT0 > + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules > + rmdir $(DESTDIR)$(rulesdir) || : > +endif ! WITH_POLKIT0 > + > else ! WITH_POLKIT > install-data-polkit:: > uninstall-data-polkit:: > diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules > new file mode 100644 > index 0000000..01a15fa > --- /dev/null > +++ b/daemon/libvirt.rules > @@ -0,0 +1,9 @@ > +// Allow any user in the 'libvirt' group to connect to system libvirtd > +// without entering a password. > + > +polkit.addRule(function(action, subject) { > + if (action.id == "org.libvirt.unix.manage" && > + subject.isInGroup("libvirt")) { > + return polkit.Result.YES; > + } > +}); > diff --git a/libvirt.spec.in b/libvirt.spec.in > index 20af502..c71ef25 100644 > --- a/libvirt.spec.in > +++ b/libvirt.spec.in > @@ -1645,9 +1645,9 @@ then > fi > > %if %{with_libvirtd} > +%pre daemon > %if ! %{with_driver_modules} > %if %{with_qemu} > -%pre daemon > %if 0%{?fedora} || 0%{?rhel} >= 6 > # We want soft static allocation of well-known ids, as disk images > # are commonly shared across NFS mounts by id rather than name; see > @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then > useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu > fi > fi > -exit 0 > %endif > %endif > %endif > > + %if %{with_polkit} > + %if 0%{?fedora} || 0%{?rhel} >= 6 > +# 'libvirt' group is just to allow password-less polkit access to > +# libvirtd. The uid number is irrelevant, so we use dynamic allocation > +# described at the above link. > +getent group libvirt >/dev/null || groupadd -r libvirt > + %endif > + %endif > + > +exit 0 > + > %post daemon > > %if %{with_systemd} > @@ -1939,6 +1949,7 @@ exit 0 > %if 0%{?fedora} || 0%{?rhel} >= 6 > %{_datadir}/polkit-1/actions/org.libvirt.unix.policy > %{_datadir}/polkit-1/actions/org.libvirt.api.policy > +%{_datadir}/polkit-1/rules.d/50-libvirt.rules > %else > %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy > %endif > -- ACK. -- Guido -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list