[libvirt] [PATCH v3] polkit: Allow password-less access for 'libvirt' group
Guido Günther
agx at sigxcpu.org
Sun May 3 13:43:44 UTC 2015
On Thu, Apr 30, 2015 at 09:14:13AM -0400, Cole Robinson wrote:
> Many users, who admin their own machines, want to be able to access
> system libvirtd via tools like virt-manager without having to enter
> a root password. Just google 'virt-manager without password' and
> you'll find many hits. I've read at least 5 blog posts over the years
> describing slightly different ways of achieving this goal.
>
> Let's finally add official support for this.
>
> Install a polkit-1 rules file granting password-less auth for any user
> in the new 'libvirt' group. Create the group on RPM install
>
> https://bugzilla.redhat.com/show_bug.cgi?id=957300
> ---
> v3:
> Back to group=libvirt to match what debian and suse are using
>
> Patch is unchanged otherwise. So unless there's objects all carry
> over the previous ACK from danpb and push after the release is out
>
> daemon/Makefile.am | 13 +++++++++++++
> daemon/libvirt.rules | 9 +++++++++
> libvirt.spec.in | 15 +++++++++++++--
> 3 files changed, 35 insertions(+), 2 deletions(-)
> create mode 100644 daemon/libvirt.rules
>
> diff --git a/daemon/Makefile.am b/daemon/Makefile.am
> index 300b9a5..974feed 100644
> --- a/daemon/Makefile.am
> +++ b/daemon/Makefile.am
> @@ -53,6 +53,7 @@ EXTRA_DIST = \
> libvirtd.init.in \
> libvirtd.upstart \
> libvirtd.policy.in \
> + libvirt.rules \
> libvirtd.sasl \
> libvirtd.service.in \
> libvirtd.socket.in \
> @@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
> else ! WITH_POLKIT0
> policydir = $(datadir)/polkit-1/actions
> policyauth = auth_admin_keep
> +rulesdir = $(datadir)/polkit-1/rules.d
> +rulesfile = libvirt.rules
> endif ! WITH_POLKIT0
> endif WITH_POLKIT
>
> @@ -263,9 +266,19 @@ if WITH_POLKIT
> install-data-polkit::
> $(MKDIR_P) $(DESTDIR)$(policydir)
> $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> +if ! WITH_POLKIT0
> + $(MKDIR_P) $(DESTDIR)$(rulesdir)
> + $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
> +endif ! WITH_POLKIT0
> +
> uninstall-data-polkit::
> rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
> rmdir $(DESTDIR)$(policydir) || :
> +if ! WITH_POLKIT0
> + rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
> + rmdir $(DESTDIR)$(rulesdir) || :
> +endif ! WITH_POLKIT0
> +
> else ! WITH_POLKIT
> install-data-polkit::
> uninstall-data-polkit::
> diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
> new file mode 100644
> index 0000000..01a15fa
> --- /dev/null
> +++ b/daemon/libvirt.rules
> @@ -0,0 +1,9 @@
> +// Allow any user in the 'libvirt' group to connect to system libvirtd
> +// without entering a password.
> +
> +polkit.addRule(function(action, subject) {
> + if (action.id == "org.libvirt.unix.manage" &&
> + subject.isInGroup("libvirt")) {
> + return polkit.Result.YES;
> + }
> +});
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 20af502..c71ef25 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -1645,9 +1645,9 @@ then
> fi
>
> %if %{with_libvirtd}
> +%pre daemon
> %if ! %{with_driver_modules}
> %if %{with_qemu}
> -%pre daemon
> %if 0%{?fedora} || 0%{?rhel} >= 6
> # We want soft static allocation of well-known ids, as disk images
> # are commonly shared across NFS mounts by id rather than name; see
> @@ -1661,11 +1661,21 @@ if ! getent passwd qemu >/dev/null; then
> useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
> fi
> fi
> -exit 0
> %endif
> %endif
> %endif
>
> + %if %{with_polkit}
> + %if 0%{?fedora} || 0%{?rhel} >= 6
> +# 'libvirt' group is just to allow password-less polkit access to
> +# libvirtd. The uid number is irrelevant, so we use dynamic allocation
> +# described at the above link.
> +getent group libvirt >/dev/null || groupadd -r libvirt
> + %endif
> + %endif
> +
> +exit 0
> +
> %post daemon
>
> %if %{with_systemd}
> @@ -1939,6 +1949,7 @@ exit 0
> %if 0%{?fedora} || 0%{?rhel} >= 6
> %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
> %{_datadir}/polkit-1/actions/org.libvirt.api.policy
> +%{_datadir}/polkit-1/rules.d/50-libvirt.rules
> %else
> %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
> %endif
> --
ACK.
-- Guido
More information about the libvir-list
mailing list