[libvirt] [PATCH v2] polkit: Allow password-less access for 'libvirtadm' group
Daniel P. Berrange
berrange at redhat.com
Wed Apr 29 15:36:36 UTC 2015
On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote:
> On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
> > On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
> >> Many users, who admin their own machines, want to be able to access
> >> system libvirtd via tools like virt-manager without having to enter
> >> a root password. Just google 'virt-manager without password' and
> >> you'll find many hits. I've read at least 5 blog posts over the years
> >> describing slightly different ways of achieving this goal.
> >>
> >> Let's finally add official support for this.
> >>
> >> Install a polkit-1 rules file granting password-less auth for any user
> >> in the new 'libvirtadm' group. Create the group on RPM install
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=957300
> >> ---
> >> v2:
> >> - Name the group libvirtadm (danpb)
> >> - Name the source file libvirt.rules and rename on install (eblake)
> >>
> >> daemon/Makefile.am | 13 +++++++++++++
> >> daemon/libvirt.rules | 9 +++++++++
> >> libvirt.spec.in | 15 +++++++++++++--
> >> 3 files changed, 35 insertions(+), 2 deletions(-)
> >> create mode 100644 daemon/libvirt.rules
> >>
> >> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
> >> index 300b9a5..974feed 100644
> >> --- a/daemon/Makefile.am
> >> +++ b/daemon/Makefile.am
> >> @@ -53,6 +53,7 @@ EXTRA_DIST = \
> >> libvirtd.init.in \
> >> libvirtd.upstart \
> >> libvirtd.policy.in \
> >> + libvirt.rules \
> >> libvirtd.sasl \
> >> libvirtd.service.in \
> >> libvirtd.socket.in \
> >> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
> >> else ! WITH_POLKIT0
> >> policydir = $(datadir)/polkit-1/actions
> >> policyauth = auth_admin_keep
> >> +rulesdir = $(datadir)/polkit-1/rules.d
> >> +rulesfile = libvirt.rules
> >> endif ! WITH_POLKIT0
> >> endif WITH_POLKIT
> >>
> >> @@ -263,9 +266,19 @@ if WITH_POLKIT
> >> install-data-polkit::
> >> $(MKDIR_P) $(DESTDIR)$(policydir)
> >> $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> >> +if ! WITH_POLKIT0
> >> + $(MKDIR_P) $(DESTDIR)$(rulesdir)
> >> + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
> >> +endif ! WITH_POLKIT0
> >> +
> >> uninstall-data-polkit::
> >> rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> >> rmdir $(DESTDIR)$(policydir) || :
> >> +if ! WITH_POLKIT0
> >> + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
> >> + rmdir $(DESTDIR)$(rulesdir) || :
> >> +endif ! WITH_POLKIT0
> >> +
> >> else ! WITH_POLKIT
> >> install-data-polkit::
> >> uninstall-data-polkit::
> >> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
> >> new file mode 100644
> >> index 0000000..e70c09b
> >> --- /dev/null
> >> +++ b/daemon/libvirt.rules
> >> @@ -0,0 +1,9 @@
> >> +// Allow any user in the 'libvirtadm' group to connect to system libvirtd
> >> +// without entering a password.
> >> +
> >> +polkit.addRule(function(action, subject) {
> >> + if (action.id == "org.libvirt.unix.manage" &&
> >> + subject.isInGroup("libvirtadm")) {
> >> + return polkit.Result.YES;
> >> + }
> >> +});
> >> diff --git a/libvirt.spec.in b/libvirt.spec.in
> >> index 20af502..10a28a2 100644
> >> --- a/libvirt.spec.in
> >> +++ b/libvirt.spec.in
> >> @@ -1645,9 +1645,9 @@ then
> >> fi
> >>
> >> %if %{with_libvirtd}
> >> +%pre daemon
> >> %if ! %{with_driver_modules}
> >> %if %{with_qemu}
> >> -%pre daemon
> >> %if 0%{?fedora} || 0%{?rhel} >= 6
> >> # We want soft static allocation of well-known ids, as disk images
> >> # are commonly shared across NFS mounts by id rather than name; see
> >> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
> >> useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
> >> fi
> >> fi
> >> -exit 0
> >> %endif
> >> %endif
> >> %endif
> >>
> >> + %if %{with_polkit}
> >> + %if 0%{?fedora} || 0%{?rhel} >= 6
> >> +# 'libvirtadm' group is just to allow password-less polkit access to
> >> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
> >> +# described at the above link.
> >> +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
> >
> > Hmm, you know I think we should probably file a bug against the
> > 'setup' RPM in Fedora to request allocation of a group ID value
> > for this, so we can default to using a fixed group ID, as we do
> > for other users/groups we create
> >
>
> The recommendations don't seem to suggest that:
>
> https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Allocation_Strategies
>
> Quote: Soft static allocation is only appropriate for packages where the UID
> or GID values are shared between computers
>
> I can't think of a good case when we would need that for libvirtadm...
> cetainly no files need to be owned by it
Ah, ok then. ACK
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list