[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH v2] polkit: Allow password-less access for 'libvirtadm' group



On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
> Many users, who admin their own machines, want to be able to access
> system libvirtd via tools like virt-manager without having to enter
> a root password. Just google 'virt-manager without password' and
> you'll find many hits. I've read at least 5 blog posts over the years
> describing slightly different ways of achieving this goal.
> 
> Let's finally add official support for this.
> 
> Install a polkit-1 rules file granting password-less auth for any user
> in the new 'libvirtadm' group. Create the group on RPM install
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=957300
> ---
> v2:
> - Name the group libvirtadm (danpb)
> - Name the source file libvirt.rules and rename on install (eblake)
> 
>  daemon/Makefile.am   | 13 +++++++++++++
>  daemon/libvirt.rules |  9 +++++++++
>  libvirt.spec.in      | 15 +++++++++++++--
>  3 files changed, 35 insertions(+), 2 deletions(-)
>  create mode 100644 daemon/libvirt.rules
> 
> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
> index 300b9a5..974feed 100644
> --- a/daemon/Makefile.am
> +++ b/daemon/Makefile.am
> @@ -53,6 +53,7 @@ EXTRA_DIST =						\
>  	libvirtd.init.in				\
>  	libvirtd.upstart				\
>  	libvirtd.policy.in				\
> +	libvirt.rules					\
>  	libvirtd.sasl					\
>  	libvirtd.service.in				\
>  	libvirtd.socket.in				\
> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
>  else ! WITH_POLKIT0
>  policydir = $(datadir)/polkit-1/actions
>  policyauth = auth_admin_keep
> +rulesdir = $(datadir)/polkit-1/rules.d
> +rulesfile = libvirt.rules
>  endif ! WITH_POLKIT0
>  endif WITH_POLKIT
>  
> @@ -263,9 +266,19 @@ if WITH_POLKIT
>  install-data-polkit::
>  	$(MKDIR_P) $(DESTDIR)$(policydir)
>  	$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> +if ! WITH_POLKIT0
> +	$(MKDIR_P) $(DESTDIR)$(rulesdir)
> +	$(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
> +endif ! WITH_POLKIT0
> +
>  uninstall-data-polkit::
>  	rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
>  	rmdir $(DESTDIR)$(policydir) || :
> +if ! WITH_POLKIT0
> +	rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
> +	rmdir $(DESTDIR)$(rulesdir) || :
> +endif ! WITH_POLKIT0
> +
>  else ! WITH_POLKIT
>  install-data-polkit::
>  uninstall-data-polkit::
> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
> new file mode 100644
> index 0000000..e70c09b
> --- /dev/null
> +++ b/daemon/libvirt.rules
> @@ -0,0 +1,9 @@
> +// Allow any user in the 'libvirtadm' group to connect to system libvirtd
> +// without entering a password.
> +
> +polkit.addRule(function(action, subject) {
> +    if (action.id == "org.libvirt.unix.manage" &&
> +        subject.isInGroup("libvirtadm")) {
> +        return polkit.Result.YES;
> +    }
> +});
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 20af502..10a28a2 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -1645,9 +1645,9 @@ then
>  fi
>  
>  %if %{with_libvirtd}
> +%pre daemon
>      %if ! %{with_driver_modules}
>          %if %{with_qemu}
> -%pre daemon
>              %if 0%{?fedora} || 0%{?rhel} >= 6
>  # We want soft static allocation of well-known ids, as disk images
>  # are commonly shared across NFS mounts by id rather than name; see
> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
>      useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
>    fi
>  fi
> -exit 0
>              %endif
>          %endif
>      %endif
>  
> +    %if %{with_polkit}
> +        %if 0%{?fedora} || 0%{?rhel} >= 6
> +# 'libvirtadm' group is just to allow password-less polkit access to
> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
> +# described at the above link.
> +getent group libvirtadm >/dev/null || groupadd -r libvirtadm

Hmm, you know I think we should probably file a bug against the
'setup' RPM in Fedora to request allocation of a group ID value
for this, so we can default to using a fixed group ID, as we do
for other users/groups we create


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]