[Libvir] [RFC PATCH] Solaris least privilege

John Levon levon at movementarian.org
Thu Apr 24 15:06:04 UTC 2008

On Thu, Apr 24, 2008 at 03:59:26PM +0100, Daniel P. Berrange wrote:

> I'd just like to see if have an impl for Solaris - whether you happen to
> use it or not, is separate issue. Some people may be taking libvirt 

Fair enough.

> > When there's genuine configuration values that users need for something
> > enabled on Solaris, it will be in SMF anyway, so will need re-working on
> > the config backend in libvirt.
> So you're not making use of any of the remote management features like 
> TLS and SASL/Kerberos ? I'd think at least users need the config to switch
> between which auth scheme they'd like to use, because the choice of TLS
> vs Kerberos is really  a deployment question for admins.

Today, we're not. When we do, as I said, we'll need libvirt changes to
understand SMF configuration instead of the config file, so we'll have
to fix up things there.

> > > > +int
> > > > +xenHavePrivilege()
> > > > +{
> > > > +#ifdef __sun
> > > > +	return priv_ineffect (PRIV_XVM_CONTROL);
> > > > +#else
> > > > +	return getuid () == 0;
> > > > +#endif
> > > > +}
> > > 
> > > As mentioned earlier, we probably want to move this into the util.c file
> > > and have the privilege name passed in as a parameter.
> > 
> > Could you explain further how you see this working?
> Something like
>     int virHavePrivilege(const char *);
> Pass in  PRIV_XEN_CONTROL, and on Solaris have that check with your
> prvilege code, and on Linux just have it ignore the param and check
> the UID.  It is likely we'll do more fine grained checks based on 
> named privileges on Linux too

I'm not sure I like this. It's pushing out a Solaris-specific detail
("PRIV_XVM_CONTROL") to every user. Furthermore, I'm not sure about it
being generic either: PRIV_XVM_CONTROL wouldn't apply to qemu on
Solaris, or zones, or whatever.

> > This just adds a whole bunch of extra code to no clear advantage?
> There's no extra code because virsh console already exists and isn't
> going away because it offers  a superset of what xenconsole does, by
> virtue of being portable

Sure there is:

 - code to spawn and run virt-console
 - all the current virsh console code in virt-console
 - the least-priv implementation in virt-console, duplicating xenconsole

Note the latter is going to be Xen-specific (indeed, Xen on Solaris
specific). There's no way I can avoid that.

Anyway, if you're set on this, I'm not entirely averse to it, I'm just
not sure I see the point.


More information about the libvir-list mailing list