[Libvir] PATCH: Don't request polkit auth if client is root

Daniel P. Berrange berrange at redhat.com
Fri Apr 4 11:48:26 UTC 2008


On Fri, Apr 04, 2008 at 09:55:50AM +0200, Jim Meyering wrote:
> "Daniel P. Berrange" <berrange at redhat.com> wrote:
> > This patch makes two adjustments to the way policy kit authentication is
> > done.
> >
> >  - Currently the server unconditionally ask the client to do policykit
> >    authentication. This is unnecessary if the remote client is running
> >    as root, which we can check via UNIX socket credentials. Unconditionally
> >    asking plays havoc with SSH tunneling, so this patch makes it check the
> >    socket credentials &not ask for auth if the client is UID==0
> >
> >  - The virsh client will unconditionally call polkit-auth to request
> >    credentials. This is also unneccessary if the client is running as
> >    root, so this patch makes it skip that step as root.
> >
> > The patch is bigger than it seems because removing an if() conditional
> > made a huge chunk be re-indented.
> 
> Good idea.  Looks fine.
> ACK.
> 
> [BTW, thanks for the SO_PEERCRED example -- I didn't know about it,
>  and was surprised to find so little documentation on it. ]

There's lots more variants on this for other OS - DBus has a whole bunch of
different implementations. Unfortunatley DBus is GPL/AFL licensed so I don't
believe we can use their code for that directly.


Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvir-list mailing list