[libvirt] [PATCH dbus] Run system instance as an unprivileged user account

Pino Toscano ptoscano at redhat.com
Fri Oct 27 14:35:39 UTC 2017

On Friday, 27 October 2017 16:18:42 CEST Daniel P. Berrange wrote:
> There is no reason for the libvirt-dbus daemon to require root privileges. All
> it actually needs is ability to connect to libvirtd, which can be achieved by
> dropping in a polkit configuration file
> Now a libvirt connection to the system bus gives you privileges equivalent to
> root, so this doesn't really improve security on its own. It relies on there
> being a dbus policy that prevents users from issuing elevated APIs.
> For example, a DBus policy could allow non-root users to list VMs on the
> system bus and get their status (aka virsh list equiv). In this case, the
> security isolation does give some benefit.
> Security can be further improved if the admin uses the libvirt polkit file to
> restrict what libvirt-dbus is permitted to do.
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> [...]
> diff --git a/data/system/org.libvirt.conf b/data/system/org.libvirt.conf
> index 5cbc732..2b11717 100644
> --- a/data/system/org.libvirt.conf
> +++ b/data/system/org.libvirt.conf
> @@ -4,7 +4,7 @@
>  <busconfig>
> -  <policy user="root">
> +  <policy user="libvirtdbus">
>      <allow own="org.libvirt"/>
>      <allow send_destination="org.libvirt"/>
>    </policy>

Most probably this file should be git rm'ed, and added to the

Pino Toscano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20171027/e5e324ca/attachment-0001.sig>

More information about the libvir-list mailing list