[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Can we allow users in 'qemu' group to skip polkit auth?



On Tue, Jun 11, 2013 at 17:11:12 -0400, Cole Robinson wrote:
> There's a bug report filed against Fedora libvirt requesting a polkit rule be
> installed that grants read/write libvirt access to all users in the 'qemu' group:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=957300
> 
> I'm inclined to agree with the reporter, and time has shown that many users
> install custom polkit rules to grant their user passwordless access to libvirt
> so this would definitely fill a need.
> 
> I'm sure there's plenty to consider here since we are talking about security.
> Thoughts?

I don't know if it's a generally good idea or not being a polkit
illiterate, however, I know for sure it should not be allowed for 'qemu'
group. We certainly don't want QEMU (run as qemu:qemu) to be able to
mess with libvirt. That said, if we should create a dedicated 'libvirt'
group in case we implement the requested polkit rule.

Jirka


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]