[libvirt] [PATCH] PolicyKit: Check auth before asking client to obtain it

Daniel P. Berrange berrange at redhat.com
Fri Jan 6 10:20:57 UTC 2012


On Thu, Jan 05, 2012 at 01:12:37PM -0700, Eric Blake wrote:
> On 01/03/2012 03:35 PM, Jim Fehlig wrote:
> > I previously mentioned [1] a PolicyKit issue where libvirt would
> > proceed with authentication even though polkit-auth failed:
> > 
> > testusr xen134:~> virsh list --all
> > Attempting to obtain authorization for org.libvirt.unix.manage.
> > polkit-grant-helper: given auth type (8 -> yes) is bogus
> > Failed to obtain authorization for org.libvirt.unix.manage.
> >  Id Name                 State
> > ----------------------------------
> >   0 Domain-0             running
> >   - sles11sp1-pv         shut off
> > 
> > AFAICT, libvirt attempts to obtain a privilege it already has,
> > causing polkit-auth to fail with above message.  Instead of calling
> > obtain and then checking auth, IMO the workflow should be for the
> > server to check auth first, and if that fails ask the client to
> > obtain it and check again.  This workflow also allows for checking
> > only successful exit of polkit-auth in virConnectAuthGainPolkit().
> > 
> > [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html
> > ---
> >  src/libvirt.c              |    2 +-
> >  src/remote/remote_driver.c |   11 +++++++++++
> >  2 files changed, 12 insertions(+), 1 deletions(-)
> 
> This looks reasonable to me, but I'd like a second opinion from someone
> more familiar with the PolicyKit code before you push anything (that
> would probably be DV or danpb).  If they agree, then I think it can go
> in 0.9.9.

ACK

Out of interest, what Suse distro releases are still relying on
the old policy kit code, as opposed to the new style ?

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list