Re: [PATCH dbus] Run system instance as an unprivileged user account

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Oct 27, 2017 at 04:35:39PM +0200, Pino Toscano wrote:
> On Friday, 27 October 2017 16:18:42 CEST Daniel P. Berrange wrote:
> > There is no reason for the libvirt-dbus daemon to require root privileges. All
> > it actually needs is ability to connect to libvirtd, which can be achieved by
> > dropping in a polkit configuration file
> > 
> > Now a libvirt connection to the system bus gives you privileges equivalent to
> > root, so this doesn't really improve security on its own. It relies on there
> > being a dbus policy that prevents users from issuing elevated APIs.
> > 
> > For example, a DBus policy could allow non-root users to list VMs on the
> > system bus and get their status (aka virsh list equiv). In this case, the
> > security isolation does give some benefit.
> > 
> > Security can be further improved if the admin uses the libvirt polkit file to
> > restrict what libvirt-dbus is permitted to do.
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> > ---
> > [...]
> > diff --git a/data/system/org.libvirt.conf b/data/system/org.libvirt.conf
> > index 5cbc732..2b11717 100644
> > --- a/data/system/org.libvirt.conf
> > +++ b/data/system/org.libvirt.conf
> > @@ -4,7 +4,7 @@
> >  
> >  <busconfig>
> >  
> > -  <policy user="root">
> > +  <policy user="libvirtdbus">
> >      <allow own="org.libvirt"/>
> >      <allow send_destination="org.libvirt"/>
> >    </policy>
> 
> Most probably this file should be git rm'ed, and added to the
> .gitignore.

Urgh yes. It seems the deletion got lost when I did a  git stash and then
unstashed.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux