[libvirt] [PATCH] polkit: Allow password-less access for 'libvirt' group
Cole Robinson
crobinso at redhat.com
Wed Apr 29 19:44:46 UTC 2015
On 04/29/2015 03:42 PM, Guido Günther wrote:
> On Tue, Apr 28, 2015 at 07:51:11PM -0400, Cole Robinson wrote:
>> Many users, who admin their own machines, want to be able to access
>> system libvirtd via tools like virt-manager without having to enter
>> a root password. Just google 'virt-manager without password' and
>> you'll find many hits. I've read at least 5 blog posts over the years
>> describing slightly different ways of achieving this goal.
>>
>> Let's finally add official support for this.
>>
>> Install a polkit-1 rules file granting password-less auth for any user
>> in the new 'libvirt' group. Create the group on RPM install
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=957300
>> ---
>> daemon/50-libvirt.rules | 9 +++++++++
>> daemon/Makefile.am | 13 +++++++++++++
>> libvirt.spec.in | 15 +++++++++++++--
>> 3 files changed, 35 insertions(+), 2 deletions(-)
>> create mode 100644 daemon/50-libvirt.rules
>>
>> diff --git a/daemon/50-libvirt.rules b/daemon/50-libvirt.rules
>> new file mode 100644
>> index 0000000..01a15fa
>> --- /dev/null
>> +++ b/daemon/50-libvirt.rules
>> @@ -0,0 +1,9 @@
>> +// Allow any user in the 'libvirt' group to connect to system libvirtd
>> +// without entering a password.
>> +
>> +polkit.addRule(function(action, subject) {
>> + if (action.id == "org.libvirt.unix.manage" &&
>> + subject.isInGroup("libvirt")) {
>> + return polkit.Result.YES;
>> + }
>> +});
>
> That's what we're shipping in Debian since quiet some time:
>
> https://anonscm.debian.org/cgit/pkg-libvirt/libvirt.git/tree/debian/polkit/60-libvirt.rules
>
> even with the same group name (which came from the group that owns the
> socket for socket based permissions). Would be great to be consistent
> across distros.
>
Latest version of the patch uses libvirtadm at Dan's suggestion... but if
there's already precedent with what debian is shipping we might want to stick
with plain 'libvirt'.
Dan, thoughts?
- Cole
More information about the libvir-list
mailing list