[libvirt] [PATCH] PolicyKit: Check auth before asking client to obtain it
Daniel P. Berrange
berrange at redhat.com
Fri Jan 6 10:20:57 UTC 2012
On Thu, Jan 05, 2012 at 01:12:37PM -0700, Eric Blake wrote:
> On 01/03/2012 03:35 PM, Jim Fehlig wrote:
> > I previously mentioned [1] a PolicyKit issue where libvirt would
> > proceed with authentication even though polkit-auth failed:
> >
> > testusr xen134:~> virsh list --all
> > Attempting to obtain authorization for org.libvirt.unix.manage.
> > polkit-grant-helper: given auth type (8 -> yes) is bogus
> > Failed to obtain authorization for org.libvirt.unix.manage.
> > Id Name State
> > ----------------------------------
> > 0 Domain-0 running
> > - sles11sp1-pv shut off
> >
> > AFAICT, libvirt attempts to obtain a privilege it already has,
> > causing polkit-auth to fail with above message. Instead of calling
> > obtain and then checking auth, IMO the workflow should be for the
> > server to check auth first, and if that fails ask the client to
> > obtain it and check again. This workflow also allows for checking
> > only successful exit of polkit-auth in virConnectAuthGainPolkit().
> >
> > [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html
> > ---
> > src/libvirt.c | 2 +-
> > src/remote/remote_driver.c | 11 +++++++++++
> > 2 files changed, 12 insertions(+), 1 deletions(-)
>
> This looks reasonable to me, but I'd like a second opinion from someone
> more familiar with the PolicyKit code before you push anything (that
> would probably be DV or danpb). If they agree, then I think it can go
> in 0.9.9.
ACK
Out of interest, what Suse distro releases are still relying on
the old policy kit code, as opposed to the new style ?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list