[libvirt] [PATCH v2] polkit: Allow password-less access for 'libvirtadm' group
Cole Robinson
crobinso at redhat.com
Wed Apr 29 15:37:34 UTC 2015
On 04/29/2015 11:36 AM, Daniel P. Berrange wrote:
> On Wed, Apr 29, 2015 at 11:35:35AM -0400, Cole Robinson wrote:
>> On 04/29/2015 11:28 AM, Daniel P. Berrange wrote:
>>> On Wed, Apr 29, 2015 at 11:04:42AM -0400, Cole Robinson wrote:
>>>> Many users, who admin their own machines, want to be able to access
>>>> system libvirtd via tools like virt-manager without having to enter
>>>> a root password. Just google 'virt-manager without password' and
>>>> you'll find many hits. I've read at least 5 blog posts over the years
>>>> describing slightly different ways of achieving this goal.
>>>>
>>>> Let's finally add official support for this.
>>>>
>>>> Install a polkit-1 rules file granting password-less auth for any user
>>>> in the new 'libvirtadm' group. Create the group on RPM install
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=957300
>>>> ---
>>>> v2:
>>>> - Name the group libvirtadm (danpb)
>>>> - Name the source file libvirt.rules and rename on install (eblake)
>>>>
>>>> daemon/Makefile.am | 13 +++++++++++++
>>>> daemon/libvirt.rules | 9 +++++++++
>>>> libvirt.spec.in | 15 +++++++++++++--
>>>> 3 files changed, 35 insertions(+), 2 deletions(-)
>>>> create mode 100644 daemon/libvirt.rules
>>>>
>>>> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
>>>> index 300b9a5..974feed 100644
>>>> --- a/daemon/Makefile.am
>>>> +++ b/daemon/Makefile.am
>>>> @@ -53,6 +53,7 @@ EXTRA_DIST = \
>>>> libvirtd.init.in \
>>>> libvirtd.upstart \
>>>> libvirtd.policy.in \
>>>> + libvirt.rules \
>>>> libvirtd.sasl \
>>>> libvirtd.service.in \
>>>> libvirtd.socket.in \
>>>> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
>>>> else ! WITH_POLKIT0
>>>> policydir = $(datadir)/polkit-1/actions
>>>> policyauth = auth_admin_keep
>>>> +rulesdir = $(datadir)/polkit-1/rules.d
>>>> +rulesfile = libvirt.rules
>>>> endif ! WITH_POLKIT0
>>>> endif WITH_POLKIT
>>>>
>>>> @@ -263,9 +266,19 @@ if WITH_POLKIT
>>>> install-data-polkit::
>>>> $(MKDIR_P) $(DESTDIR)$(policydir)
>>>> $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
>>>> +if ! WITH_POLKIT0
>>>> + $(MKDIR_P) $(DESTDIR)$(rulesdir)
>>>> + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
>>>> +endif ! WITH_POLKIT0
>>>> +
>>>> uninstall-data-polkit::
>>>> rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
>>>> rmdir $(DESTDIR)$(policydir) || :
>>>> +if ! WITH_POLKIT0
>>>> + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
>>>> + rmdir $(DESTDIR)$(rulesdir) || :
>>>> +endif ! WITH_POLKIT0
>>>> +
>>>> else ! WITH_POLKIT
>>>> install-data-polkit::
>>>> uninstall-data-polkit::
>>>> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
>>>> new file mode 100644
>>>> index 0000000..e70c09b
>>>> --- /dev/null
>>>> +++ b/daemon/libvirt.rules
>>>> @@ -0,0 +1,9 @@
>>>> +// Allow any user in the 'libvirtadm' group to connect to system libvirtd
>>>> +// without entering a password.
>>>> +
>>>> +polkit.addRule(function(action, subject) {
>>>> + if (action.id == "org.libvirt.unix.manage" &&
>>>> + subject.isInGroup("libvirtadm")) {
>>>> + return polkit.Result.YES;
>>>> + }
>>>> +});
>>>> diff --git a/libvirt.spec.in b/libvirt.spec.in
>>>> index 20af502..10a28a2 100644
>>>> --- a/libvirt.spec.in
>>>> +++ b/libvirt.spec.in
>>>> @@ -1645,9 +1645,9 @@ then
>>>> fi
>>>>
>>>> %if %{with_libvirtd}
>>>> +%pre daemon
>>>> %if ! %{with_driver_modules}
>>>> %if %{with_qemu}
>>>> -%pre daemon
>>>> %if 0%{?fedora} || 0%{?rhel} >= 6
>>>> # We want soft static allocation of well-known ids, as disk images
>>>> # are commonly shared across NFS mounts by id rather than name; see
>>>> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
>>>> useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
>>>> fi
>>>> fi
>>>> -exit 0
>>>> %endif
>>>> %endif
>>>> %endif
>>>>
>>>> + %if %{with_polkit}
>>>> + %if 0%{?fedora} || 0%{?rhel} >= 6
>>>> +# 'libvirtadm' group is just to allow password-less polkit access to
>>>> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
>>>> +# described at the above link.
>>>> +getent group libvirtadm >/dev/null || groupadd -r libvirtadm
>>>
>>> Hmm, you know I think we should probably file a bug against the
>>> 'setup' RPM in Fedora to request allocation of a group ID value
>>> for this, so we can default to using a fixed group ID, as we do
>>> for other users/groups we create
>>>
>>
>> The recommendations don't seem to suggest that:
>>
>> https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Allocation_Strategies
>>
>> Quote: Soft static allocation is only appropriate for packages where the UID
>> or GID values are shared between computers
>>
>> I can't think of a good case when we would need that for libvirtadm...
>> cetainly no files need to be owned by it
>
> Ah, ok then. ACK
>
Thanks, I'll push after the release
- Cole
More information about the libvir-list
mailing list