[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] libvirt daemon UNIX socket auth with PolicyKit



On Wed, Aug 08, 2007 at 04:02:25PM +0100, Richard W.M. Jones wrote:
> Daniel P. Berrange wrote:
> >On Wed, Aug 08, 2007 at 03:42:30PM +0100, Richard W.M. Jones wrote:
> >>Daniel P. Berrange wrote:
> >>  srw-rw---- 1 root virtstaff 0 2007-06-29 15:50 
> >>/var/run/libvirt/libvirt-sock
> >
> >That either gives a user full access without requiring any password, or
> >requires that the app run as root. That's just a mild tweaking of the 
> >status quo. It doesn't allow us to authenticate a non-root user to allow
> >them access without the app itself being run as root.
> 
> I wouldn't call it a "mild tweaking of the status quo".  It lets an 
> administrator designate staff who are permitted to manage virtualization 
> (ie. by adding them to the virtstaff group), and then those staff can 
> run management programs as themselves (non-root).  If typing in a 
> password is important because it proves that at the moment that the 
> program was started, then the staff member was sitting in front of the 
> computer (but not, like, later on or anything), then perhaps the 
> administrators of these super secure systems should ensure their staff 
> use screensavers.
> 
> Anyhow isn't this something which SELinux was supposed to solve?

Yes - but with the caveat that it only solves it if running in 'strict'
mode. In 'targetted' mode all user accounts are unconfined_t so can do
pretty much anything they like. So we can't usefully leverage SELinux
for this in most common deployements.

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]