[Libvir] PATCH: 4/10: PolicyKit authentication support

Daniel P. Berrange berrange at redhat.com
Wed Dec 5 15:49:21 UTC 2007 

On Thu, Nov 29, 2007 at 05:18:41PM +0000, Daniel P. Berrange wrote:
> This patch adds support for an PolicyKit authentication mechanism. This
> was previously described here:
> 
> http://www.redhat.com/archives/libvir-list/2007-September/msg00168.html
> 
> If PolicyKit is compiled in, then the UNIX domain sockets have their
> default settings changed to make sure of PolicyKit. Thus, when PolicyKit
> is enabled, both the RO & RW sockets are mode 0777. PolicyKit is then
> called upon client connect to decide whether to allow the client to gain
> access.
> 
> The policyfile is shipped in /usr/share/PolicyKit/policy and has default
> settings to mimic current non-PolicyKit access. If making a read-only
> connection, any application will be granted access by default. If making
> a read-write connection, applications will need to authenticate against
> policykit by providing the user's own password. This is akin to 'sudo'
> style auth. The credentials persist until the user logs out.
> 
> The file in /etc/PolicyKit/PolicyKit.conf can be used by the local sysadmin
> to override the default policy on a per-host basis. eg, they could restrict
> access to the read-only connections, or open up the read-write connections
> to more apps. See 'man PolicyKit.conf' for more info.
> 
> The configure script will check for PolicyKit using pkg-config and only
> enable it if actually present. So any OS without PolicyKit will not be
> impacted by this patch.
> 
>  b/qemud/libvirtd.policy             |   42 +++++++++++
>  configure.in                        |   25 ++++++
>  libvirt.spec.in                     |    3 
>  qemud/Makefile.am                   |   11 ++
>  qemud/internal.h                    |    7 +
>  qemud/libvirtd.conf                 |   18 +++-
>  qemud/qemud.c                       |   37 +++++++++
>  qemud/remote.c                      |  135 +++++++++++++++++++++++++++++++++++-
>  qemud/remote_dispatch_localvars.h   |    1 
>  qemud/remote_dispatch_proc_switch.h |    6 +
>  qemud/remote_dispatch_prototypes.h  |    1 
>  qemud/remote_protocol.c             |    9 ++
>  qemud/remote_protocol.h             |    9 ++
>  qemud/remote_protocol.x             |   10 ++
>  src/remote_internal.c               |   35 +++++++++
>  15 files changed, 340 insertions(+), 9 deletions(-)

If anyone has objections / comments wrt to this patch please say so now
otherwise I'll commit it in an hour or so.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|

More information about the libvir-list mailing list