[libvirt] Can we allow users in 'qemu' group to skip polkit auth?
Jiri Denemark
jdenemar at redhat.com
Tue Jun 11 21:51:55 UTC 2013
On Tue, Jun 11, 2013 at 17:11:12 -0400, Cole Robinson wrote:
> There's a bug report filed against Fedora libvirt requesting a polkit rule be
> installed that grants read/write libvirt access to all users in the 'qemu' group:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=957300
>
> I'm inclined to agree with the reporter, and time has shown that many users
> install custom polkit rules to grant their user passwordless access to libvirt
> so this would definitely fill a need.
>
> I'm sure there's plenty to consider here since we are talking about security.
> Thoughts?
I don't know if it's a generally good idea or not being a polkit
illiterate, however, I know for sure it should not be allowed for 'qemu'
group. We certainly don't want QEMU (run as qemu:qemu) to be able to
mess with libvirt. That said, if we should create a dedicated 'libvirt'
group in case we implement the requested polkit rule.
Jirka
More information about the libvir-list
mailing list