[libvirt] Group for accessing one/all VM graphics and not virsh

Reeted reeted at shiftmail.org
Mon Dec 5 17:41:54 UTC 2011

Hello libvirt people,

is there a (preferably simple) way in Linux to allow a certain set of 
users to be able to do:

virt-viewer --connect qemu+ssh://username@virthost/system vmname

for connecting to virt-viewer BUT without letting them do all the other 
things that can be done with virsh?

I know that if I add them to the libvirtd and kvm groups, they will be 
able to connect with virt-viewer to any virtual machine AND ALSO do any 
virsh command on any virtual machine. This is too much permission.

I can accept the first part (a way to allow a group of user to connect 
with virt-viewer to all the virtual machines of the host) since more 
restriction can be enforced by using VNC passwords... But if they are 
also able to do anything in virsh that's too much.

I am using only qemu and kvm in libvirt.

Thank you

