Skip to content
Snippets Groups Projects
Commit da11813c authored by Guido Günther's avatar Guido Günther
Browse files

Use polkit instead of socket permissions

As before membership in the libvirt group gives r/w access to all VMs.
parent 7359fcb5
No related branches found
No related tags found
No related merge requests found
......@@ -53,8 +53,9 @@ can handle the virtual bridges.
Access Control
==============
Access to the libvirt socket is controlled by membership in the "libvirt" group.
If you want to manage VMs as non root you need to add a user to that group.
Access to the libvirt managing tasks is controlled by PolicyKit. To ease
configuration membership in the "libvirt" group is sufficient. If you want to
manage VMs as non-root you need to add a user to that group.
Note that this will allow users in this group to use all of libvirt's
API including modifying files on the host. For finer grained access
......@@ -83,4 +84,4 @@ for a complete explanation:
<http://bugs.debian.org/453627>
<http://bugs.debian.org/614291>
-- Guido Günther <agx@sigxcpu.org> Mon, 06 Feb 2011 17:28:35 +0200
-- Guido Günther <agx@sigxcpu.org> Sun, 28 Sep 2014 09:50:41 +0200
......@@ -127,6 +127,7 @@ Depends:
libvirt-clients (= ${binary:Version}),
libvirt-daemon (= ${binary:Version}),
logrotate,
policykit-1,
Recommends:
bridge-utils,
dmidecode,
......@@ -137,7 +138,7 @@ Recommends:
parted,
pm-utils,
Section: admin
Suggests: policykit-1, radvd, auditd, systemtap, systemd, apparmor
Suggests: radvd, auditd, systemtap, systemd, apparmor
Breaks: avahi-daemon (<< 0.6.31-3~)
Replaces: libvirt-bin (<< 1.2.7-4~)
Conflicts: libvirt-bin (<< 1.2.6-1~)
......
libvirt (1.2.9~rc1-1) experimental; urgency=medium
libvirtd now uses PolicyKit instead of unix socket domain permissions for r/w
connections. This has the advantage of requiring less reconfiguration when
using ACL based access and bringing us closer to upstream's recommendations.
In order to keep old configurations working we're still allowing all members
of the libvirt group full access via /etc/polkit-1/rules.d/60-libvirt.rules.
If you want to continue to use socket permission based access control you can
still configure it in /etc/libvirt/libvirtd.conf.
-- Guido Günther <agx@sigxcpu.org> Sat, 27 Sep 2014 19:22:46 +0200
......@@ -9,3 +9,4 @@
/var/log/libvirt/uml
/var/log/libvirt/lxc
/etc/libvirt/hooks
/etc/polkit-1/rules.d/
From: Guido Guenther <agx@sigxcpu.org>
Date: Thu, 26 Jun 2008 20:01:38 +0200
Subject: Allow libvirt group to access the socket
---
daemon/libvirtd.conf | 9 +++++----
daemon/test_libvirtd.aug.in | 4 ----
2 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index d4f6a1c..06cb97f 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -87,7 +87,7 @@
# without becoming root.
#
# This is restricted to 'root' by default.
-#unix_sock_group = "libvirt"
+unix_sock_group = "libvirt"
# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
@@ -104,7 +104,8 @@
#
# If not using PolicyKit and setting group ownership for access
# control, then you may want to relax this too.
-#unix_sock_rw_perms = "0770"
+# control then you may want to relax this to:
+unix_sock_rw_perms = "0770"
# Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt"
@@ -135,7 +136,7 @@
#
# To restrict monitoring of domains you may wish to enable
# an authentication mechanism here
-#auth_unix_ro = "none"
+auth_unix_ro = "none"
# Set an authentication scheme for UNIX read-write sockets
# By default socket permissions only allow root. If PolicyKit
@@ -144,7 +145,7 @@
#
# If the unix_sock_rw_perms are changed you may wish to enable
# an authentication mechanism here
-#auth_unix_rw = "none"
+auth_unix_rw = "none"
# Change the authentication scheme for TCP sockets.
#
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 37ff33d..8c4e8a4 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -9,12 +9,8 @@ module Test_libvirtd =
{ "listen_addr" = "192.168.0.1" }
{ "mdns_adv" = "1" }
{ "mdns_name" = "Virtualization Host Joe Demo" }
- { "unix_sock_group" = "libvirt" }
{ "unix_sock_ro_perms" = "0777" }
- { "unix_sock_rw_perms" = "0770" }
{ "unix_sock_dir" = "/var/run/libvirt" }
- { "auth_unix_ro" = "none" }
- { "auth_unix_rw" = "none" }
{ "auth_tcp" = "sasl" }
{ "auth_tls" = "none" }
{ "access_drivers"
debian/remove-RHism.diff.patch
debian/Don-t-enable-default-network-on-boot.patch
debian/Allow-libvirt-group-to-access-the-socket.patch
debian/fix-Debian-specific-path-to-hvm-loader.patch
debian/Debianize-libvirt-guests.patch
patch-qemuMonitorTextGetMigrationStatus-to-intercept.patch
......
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
// Mimic behaviour of group libvirt owning libvirt's rw socket
//
// See the polkit(8) man page for more information
// about configuring polkit.
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("libvirt")) {
return polkit.Result.YES;
}
});
......@@ -145,6 +145,9 @@ override_dh_install:
debian/libvirt-daemon-system.libvirt-guests.init
cp tools/libvirt-guests.sysconf \
debian/libvirt-daemon-system.libvirt-guests.default
# Add our backward compat polkit rule
cp debian/polkit/60-libvirt.rules \
debian/libvirt-daemon-system/etc/polkit-1/rules.d/
ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux))
# Linux supports more nice things:
dh_install -p libvirt-daemon-system usr/lib/systemd/system lib/systemd/
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment