[Libvir] libvirt daemon UNIX socket auth with PolicyKit
Richard W.M. Jones
rjones at redhat.com
Wed Aug 8 14:42:30 UTC 2007
Daniel P. Berrange wrote:
> Currently our authentication model for local connections is using the basic
> UNIX file permissions, possibly with a setuid helper (in Xen case only). It
> can be summarized as
>
> - If app using libvirt is running as root
> => full access
> - Else
> => read only access
>
> The latter is enforced by fact that in Xen case libvirt_proxy only has impl
> for a handful of read only APIs, or in non-Xen case that the UNIX domain
> socket for the daemon /var/run/libvirt/libvirt-sock is mode 0700, while
> /var/run/libvirt/libvirt-sock-ro is 0777 & the daemon enforces based on which
> socket the client connects to.
>
> This is good because it allows non-root to at least monitor guest state
> while requiring root authentication for actually changing state.
>
> This is bad because it requires any app which wants to change state to run
> as root. ie we are required to launch virt-manager as root to gain ability
> to manage local guests. Problem with this include:
>
> - running the entire PyGTK & GTK & X codebase as root is undesirable
> - no integration with the DBus desktop session (gnome-vfs integartion)
> - no integration with the GNOME keyring (for VNC server passwords)
> - redundant (&dangerous) if all you want to do is manage remote libvirt hosts
>
> In summary what I really need for virt-manager is
>
> - Always run as non-root
> - Authenticate for local guest management (ie read+write)
>
> UNIX domain sockets already provide a way for each end to identify the PID
> and UID of the other end. This enables the libvirt daemon to determine the
> identity of the application on the other end. With this information the
> daemon merely needs to check this identity against some access control policy
> rules. Where to get/define these rules though ?
I'm unclear as to what problem this is solving that couldn't be solved
using Unix users and groups. Add the users who need full access to a
Unix group and change the permissions on the r/w socket:
srw-rw---- 1 root virtstaff 0 2007-06-29 15:50
/var/run/libvirt/libvirt-sock
I guess that'd be too simple for people who think XML configuration
files are a good idea.
Well, I checked the patch and it is not invasive, nor does it depend on
PolicyKit / freedesktop.org crack being available in the future, so I
guess we can carry it.
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070808/4a2872f8/attachment-0001.bin>
More information about the libvir-list
mailing list