[libvirt] [PATCH] polkit: Allow password-less access for 'libvirt' group

Daniel P. Berrange berrange at redhat.com
Thu Apr 30 09:21:29 UTC 2015


On Wed, Apr 29, 2015 at 03:44:46PM -0400, Cole Robinson wrote:
> On 04/29/2015 03:42 PM, Guido Günther wrote:
> > On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
> >> Many users, who admin their own machines, want to be able to access
> >> system libvirtd via tools like virt-manager without having to enter
> >> a root password. Just google 'virt-manager without password' and
> >> you'll find many hits. I've read at least 5 blog posts over the years
> >> describing slightly different ways of achieving this goal.
> >>
> >> Let's finally add official support for this.
> >>
> >> Install a polkit-1 rules file granting password-less auth for any user
> >> in the new 'libvirt' group. Create the group on RPM install
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=957300
> >> ---
> >>  daemon/50-libvirt.rules |  9 +++++++++
> >>  daemon/Makefile.am      | 13 +++++++++++++
> >>  libvirt.spec.in         | 15 +++++++++++++--
> >>  3 files changed, 35 insertions(+), 2 deletions(-)
> >>  create mode 100644 daemon/50-libvirt.rules
> >>
> >> diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules
> >> new file mode 100644
> >> index 0000000..01a15fa
> >> --- /dev/null
> >> +++ b/daemon/50-libvirt.rules
> >> @@ -0,0 +1,9 @@
> >> +// Allow any user in the 'libvirt' group to connect to system libvirtd
> >> +// without entering a password.
> >> +
> >> +polkit.addRule(function(action, subject) {
> >> +    if (action.id == "org.libvirt.unix.manage" &&
> >> +        subject.isInGroup("libvirt")) {
> >> +        return polkit.Result.YES;
> >> +    }
> >> +});
> > 
> > That's what we're shipping in Debian since quiet some time:
> > 
> >     https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/60-libvirt.rules
> > 
> > even with the same group name (which came from the group that owns the
> > socket for socket based permissions). Would be great to be consistent
> > across distros.
> > 
> 
> Latest version of the patch uses libvirtadm at Dan's suggestion... but if
> there's already precedent with what debian is shipping we might want to stick
> with plain 'libvirt'.
> 
> Dan, thoughts?

Yeah, since both Suse and Debian have shipped this aready with a group
name of 'libvirt', we should use that for consistency

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list