[libvirt] problems with remote authentication with policykit

Daniel P. Berrange berrange at redhat.com
Wed Jun 17 22:00:41 UTC 2009 

On Wed, Jun 17, 2009 at 05:51:27PM -0400, Jim Paris wrote:
> Daniel P. Berrange wrote:
> 17:34:59.360: debug : call:6947 : Doing call 70 (nil)
> 17:34:59.360: debug : call:7017 : We have the buck 70 0xbccef0 0xbccef0
> 17:34:59.433: debug : processCallRecvLen:6605 : Got length, now need 128 total (124 more)
> 17:34:59.434: debug : processCalls:6873 : Giving up the buck 70 0xbccef0 (nil)
> 17:34:59.434: debug : call:7048 : All done with our call 70 (nil) 0xbccef0
> 17:34:59.434: error : server_error:7231 : authentication failed
> 17:35:13.585: debug : do_open:999 : driver 4 remote returned ERROR
> 17:35:13.585: debug : virUnrefConnect:232 : unref connection 0xbc6a60 1
> 17:35:13.585: debug : virReleaseConnect:191 : release connection 0xbc6a60
> 
> If I kill the libvirtd process on the server, the client then finally prints:
> 
> error: authentication failed
> error: failed to connect to the hypervisor
> 
> and the client then exits.

Ok, this bit definitely sounds like a server side bug, unless
perhaps there is some buffering taking place in ssh or nc
causing the errore reply packet to not be send back promptly

> 
> 
> On the server side, the libvirtd output is
> 
> 17:34:59.378: debug : remoteDispatchAuthPolkit:3385 : Start PolicyKit auth 25
> 17:34:59.378: info : remoteDispatchAuthPolkit:3396 : Checking PID 7551 running as 1000
> 17:34:59.379: debug : virEventRunOnce:567 : Poll got 1 event
> 17:34:59.379: debug : virEventDispatchHandles:450 : Dispatch n=2 f=9 w=3 e=1 0x1a72790
> 17:34:59.379: debug : nodeDeviceLock:52 : LOCK node 0x1a748e0
> 17:34:59.379: debug : nodeDeviceUnlock:57 : UNLOCK node 0x1a748e0
> 17:34:59.426: error : remoteDispatchAuthPolkit:3451 : Policy kit denied action org.libvirt.unix.manage from pid 7551, uid 1000, result: auth_admin_keep_session
> 
> The hang aside, it seems libvirtd should be using
> org.libvirt.unix.monitor for the readonly connection?

In this case the problem is that the remote client end is using
netcat on the wrong UNIX socket. 

In remote_internal.c it does

        cmd_argv[j++] = strdup (sockname ? sockname : LIBVIRTD_PRIV_UNIX_SOCKET);

When it should be doing

        cmd_argv[j++] = strdup (sockname ? sockname : 
               (flags & VIR_CONNECT_IO ? LIBVIRTD_PRIV_UNIX_SOCKET_RO
                                       : LIBVIRTD_PRIV_UNIX_SOCKET);

that would make libvirtd use the correct permission check

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list