On Mon, Sep 06, 2010 at 12:16:40PM +0200, Soren Hansen wrote: > On 06-09-2010 11:17, Daniel P. Berrange wrote: > > Our goal is to improve qemu://session's networking such that this > > isn't a reason to use qemu://system anymore > > Fair enough, but when that happens, I'm supposing people won't have > access to the system-wide UNIX socket anymore. No, we won't change access to the system instance, the policy for that is already configurable per-host by admins if they so desire. It is more a case of making virt-manager use the qemu:///session uri by default, rather than a change in libvirtd. > > In addition by running VMs directly under the user's session things > > like pulseaudio, SDL can directly access the X & GNOME sessions > > without further special config. > > I was under the impression that currently targeted solution to at least > the audio problem was tunelling through VNC? Yep, that is another piece of work - they're not mutually exclusive, since the audio-over-VNC functionality is useful for remote access across the network, as well as local system access. > > > This is ignoring two important use cases which are common in the > > corporate world. Shared development servers where many users are on > > one server, and personal workstations where the users are not > > allowed to have root. > > I disagree. In both of those cases, I'd be surprised if people were able > to access the privileged libvirtd socket. In the former case, if people > generally had access to the systemwide libvirtd instance, I'd assume > that was because that was the one they were supposed to use for their > shared development stuff. In the latter case, with that sort of access, > I could have full root shell access within minutes, so that'd be a > pretty big security fail. You are equating access to the UNIX socket, with authorization to the unix socket. With PolicyKit auth enabled by default, the UNIX socket is mode 0777 at all times, but this does not imply that all users are able to use it. They can connect, but if PolicyKit denies them, their connection will be dropped by the server. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list