[libvirt] [PATCH] remote: Don't reject remote polkit if client lacks support

Cole Robinson crobinso at redhat.com
Fri Apr 22 13:51:50 UTC 2016


ping

On 04/14/2016 03:41 PM, Cole Robinson wrote:
> If you compile a client --without-polkit, and connect to a URI that needs
> polkit auth, the connection will fail with:
> 
> $ ./tools/virsh --connect qemu+ssh://crobinso@machine/system
> error: failed to connect to the hypervisor
> error: authentication failed: unsupported authentication type 2
> 
> This is because the client side portion of the polkit handling is
> compiled out. However, nothing polkit specific is actually required
> of the client.
> 
> Fix that error by unconditionally compiling the basic polkit client
> handling.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=635529
> ---
> Granted, if polkit needs to do any interaction at all, and you are
> connecting to a remote machine, then things are going to fail anyways
> with a 'missing agent' error. But if you're user is in the 'libvirt'
> group polkit doesn't need to auth it should all work.
> 
> 
>  src/remote/remote_driver.c | 69 +++++++++++++++++++++-------------------------
>  1 file changed, 31 insertions(+), 38 deletions(-)
> 
> diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
> index da94411..6bed2c5 100644
> --- a/src/remote/remote_driver.c
> +++ b/src/remote/remote_driver.c
> @@ -132,11 +132,9 @@ static int remoteAuthenticate(virConnectPtr conn, struct private_data *priv,
>  #if WITH_SASL
>  static int remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
>                            virConnectAuthPtr auth, const char *mech);
> -#endif
> -#if WITH_POLKIT
> +#endif /* WITH_SASL */
>  static int remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
>                              virConnectAuthPtr auth);
> -#endif /* WITH_POLKIT */
>  
>  static virDomainPtr get_nonnull_domain(virConnectPtr conn, remote_nonnull_domain domain);
>  static virNetworkPtr get_nonnull_network(virConnectPtr conn, remote_nonnull_network network);
> @@ -3326,14 +3324,12 @@ remoteAuthenticate(virConnectPtr conn, struct private_data *priv,
>      }
>  #endif
>  
> -#if WITH_POLKIT
>      case REMOTE_AUTH_POLKIT:
>          if (remoteAuthPolkit(conn, priv, auth) < 0) {
>              VIR_FREE(ret.types.types_val);
>              return -1;
>          }
>          break;
> -#endif
>  
>      case REMOTE_AUTH_NONE:
>          /* Nothing todo, hurrah ! */
> @@ -3904,30 +3900,10 @@ remoteAuthSASL(virConnectPtr conn, struct private_data *priv,
>  #endif /* WITH_SASL */
>  
>  
> -#if WITH_POLKIT
> -# if WITH_POLKIT1
> -static int
> -remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
> -                 virConnectAuthPtr auth ATTRIBUTE_UNUSED)
> -{
> -    remote_auth_polkit_ret ret;
> -    VIR_DEBUG("Client initialize PolicyKit-1 authentication");
> -
> -    memset(&ret, 0, sizeof(ret));
> -    if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
> -             (xdrproc_t) xdr_void, (char *)NULL,
> -             (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) {
> -        return -1; /* virError already set by call */
> -    }
> -
> -    VIR_DEBUG("PolicyKit-1 authentication complete");
> -    return 0;
> -}
> -# elif WITH_POLKIT0
> -/* Perform the PolicyKit authentication process
> - */
> +#if WITH_POLKIT0
> +/* Perform the PolicyKit0 authentication process */
>  static int
> -remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
> +remoteAuthPolkit0(virConnectPtr conn, struct private_data *priv,
>                   virConnectAuthPtr auth)
>  {
>      remote_auth_polkit_ret ret;
> @@ -3943,14 +3919,8 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
>      };
>      VIR_DEBUG("Client initialize PolicyKit-0 authentication");
>  
> -    /* Check auth first and if it succeeds we are done. */
> -    memset(&ret, 0, sizeof(ret));
> -    if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
> -             (xdrproc_t) xdr_void, (char *)NULL,
> -             (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) == 0)
> -        goto out;
> -
> -    /* Auth failed.  Ask client to obtain it and check again. */
> +    /* We only make it here if auth already failed
> +     * Ask client to obtain it and check again. */
>      if (auth && auth->cb) {
>          /* Check if the necessary credential type for PolicyKit is supported */
>          for (i = 0; i < auth->ncredtype; i++) {
> @@ -3986,8 +3956,31 @@ remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
>      VIR_DEBUG("PolicyKit-0 authentication complete");
>      return 0;
>  }
> -# endif /* WITH_POLKIT0 */
> -#endif /* WITH_POLKIT */
> +#endif /* WITH_POLKIT0 */
> +
> +static int
> +remoteAuthPolkit(virConnectPtr conn, struct private_data *priv,
> +                 virConnectAuthPtr auth ATTRIBUTE_UNUSED)
> +{
> +    remote_auth_polkit_ret ret;
> +    VIR_DEBUG("Client initialize PolicyKit authentication");
> +
> +    memset(&ret, 0, sizeof(ret));
> +    if (call(conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
> +             (xdrproc_t) xdr_void, (char *)NULL,
> +             (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) {
> +        return -1; /* virError already set by call */
> +    }
> +
> +#if WITH_POLKIT0
> +    if (remoteAuthPolkit0(conn, priv, auth) < 0)
> +        return -1;
> +#endif /* WITH_POLKIT0 */
> +
> +    VIR_DEBUG("PolicyKit authentication complete");
> +    return 0;
> +}
> +
>  /*----------------------------------------------------------------------*/
>  
>  static int
> 




More information about the libvir-list mailing list