[Libvir] PATCH: 4/10: PolicyKit authentication support
Daniel P. Berrange
berrange at redhat.com
Wed Dec 5 15:49:21 UTC 2007
On Thu, Nov 29, 2007 at 05:18:41PM +0000, Daniel P. Berrange wrote:
> This patch adds support for an PolicyKit authentication mechanism. This
> was previously described here:
>
> http://www.redhat.com/archives/libvir-list/2007-September/msg00168.html
>
> If PolicyKit is compiled in, then the UNIX domain sockets have their
> default settings changed to make sure of PolicyKit. Thus, when PolicyKit
> is enabled, both the RO & RW sockets are mode 0777. PolicyKit is then
> called upon client connect to decide whether to allow the client to gain
> access.
>
> The policyfile is shipped in /usr/share/PolicyKit/policy and has default
> settings to mimic current non-PolicyKit access. If making a read-only
> connection, any application will be granted access by default. If making
> a read-write connection, applications will need to authenticate against
> policykit by providing the user's own password. This is akin to 'sudo'
> style auth. The credentials persist until the user logs out.
>
> The file in /etc/PolicyKit/PolicyKit.conf can be used by the local sysadmin
> to override the default policy on a per-host basis. eg, they could restrict
> access to the read-only connections, or open up the read-write connections
> to more apps. See 'man PolicyKit.conf' for more info.
>
> The configure script will check for PolicyKit using pkg-config and only
> enable it if actually present. So any OS without PolicyKit will not be
> impacted by this patch.
>
> b/qemud/libvirtd.policy | 42 +++++++++++
> configure.in | 25 ++++++
> libvirt.spec.in | 3
> qemud/Makefile.am | 11 ++
> qemud/internal.h | 7 +
> qemud/libvirtd.conf | 18 +++-
> qemud/qemud.c | 37 +++++++++
> qemud/remote.c | 135 +++++++++++++++++++++++++++++++++++-
> qemud/remote_dispatch_localvars.h | 1
> qemud/remote_dispatch_proc_switch.h | 6 +
> qemud/remote_dispatch_prototypes.h | 1
> qemud/remote_protocol.c | 9 ++
> qemud/remote_protocol.h | 9 ++
> qemud/remote_protocol.x | 10 ++
> src/remote_internal.c | 35 +++++++++
> 15 files changed, 340 insertions(+), 9 deletions(-)
If anyone has objections / comments wrt to this patch please say so now
otherwise I'll commit it in an hour or so.
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
More information about the libvir-list
mailing list