[PATCH] polkit: Allow libvirt group access to libvirtd ro socket
Jim Fehlig
jfehlig at suse.com
Wed Dec 2 00:30:00 UTC 2020
On 12/1/20 5:15 PM, Neal Gompa wrote:
> On Tue, Dec 1, 2020 at 4:23 PM Jim Fehlig <jfehlig at suse.com> wrote:
>>
>> On 12/1/20 2:17 AM, Daniel P. Berrangé wrote:
>>> On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:
>>>> As a normal user, 'virsh connect qemu:///system' and
>>>> 'virsh connect --readonly qemu:///system' will prompt for root password.
>>>> If the user is added to the libvirt group, only
>>>> 'virsh connect --readonly qemu:///system' will prompt for root password.
>>>
>>> This doesn't make sense - the readonly case should never prompt for
>>> a password, since libvirtd.polkit.in grants that permission out of
>>> the box.
>>
>> I thought something smelled a bit fishy. I meant to annotate the patch with "It
>> is possible I have a broader polkit config issue", but forgot before sending it
>> last night.
>>
>> And indeed after looking again today with fresh eyes I see the problem is in our
>> polkit-default-privs package -> downstream bug. Ignore this patch.
>>
>
> Hah, and I didn't catch this because I rip out the default openSUSE
> stuff that ruins usability by restricting polkit too much. :)
It has been a long time, but I've tripped over default-privs in the past. This
time it was the difference between "restricted" (default in SLES) and "standard"
(default in openSUSE) rules that got me. See /etc/sysconfig/security.
Regards,
Jim
More information about the libvir-list
mailing list